On Tue, Aug 26, 2003 at 10:34:49AM -0500, Chris Barnes wrote: > One of my student workers - who happens to be setting up Amanda, > recently came to me with a concern about how the backup/restore process > handles soft links. I suspect that this is a non-issue in that Amanda > has already figured out a way to deal with this, but just in case... > > Let's say a user creates a soft link in their home directory that points > to > /usr/bin, eg: > > lrwxrwxrwx 1 cbarnes barnes 15 July 1 13:35 mybin -> /usr/bin/ > > Then the backups of the home are run. > > Then the user removes the softlink and creates a real directory with > that same name. > > drwxr-xr-x 2 cbarnes barnes 4096 Aug 18 17:23 mybin > > and then puts a modified program into that directory: > > drwxr-xr-x 2 cbarnes barnes 4096 Aug 18 17:23 ./ > drwxr-xr-x 13 cbarnes cbarnes 4096 Aug 25 17:31 ../ > -r-s--x--x 1 cbarnes barnes 7667 Aug 18 17:26 passwd* > > and backups are run again. > > > The concern is that when a restore is run, the softlink to the /usr/bin > directory will be recreated, then the file will be restored into that > directory, overwriting the file that is supposed to be there (ie. > creating a security issue). > > > 1) Is this possible, or does Amanada already do something to prevent > this? > 2) If it is possbile, are there any security considerations we need to > take into consideration when running backups or restore jobs?
Amanda doesn't do anything about this--it just calls the underlying backup mechanism (guntar or dump) to do the dirty work. It's up to the underlying backup mechanism to handle this. So the right people to be asking a question like this are the gnutar maintainers or the dump maintainers. It's been too long since I wrote gnutar for me to remember how it handles cases like this. You should ask a more current maintainer. A similar attack would be to have a directory "mybin" containing a file "passwd" before a dump is done. Then replace "mybin" with a symbolic link to "/bin" and request a restore of "mybin/passwd". I'll check out both of these scenerios and report back on what I find. -- JF