Bug 12670 - dump/restore - should be OK to lose the suid bits now
Summary: dump/restore - should be OK to lose the suid bits now
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: dump   
(Show other bugs)
Version: 7.1
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact:
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2000-06-19 19:28 UTC by Chris Evans
Modified: 2008-05-01 15:37 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2000-07-19 09:31:22 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Chris Evans 2000-06-19 19:28:48 UTC

Summary says it all really.

To review why dump/restore were originally suid-root, it was to allow
non-root users to do network backups. This required a privileged low port

Recent versions of dump/restore (including the version shipped with BETA1)
support an alternative mechanism which does _not_ require the binaries
to be suid-root (or sgid I guess). The mechanism is via an environment
variable: RSH.

From the man-page of dump

RSH         Dump uses the contents of this variable to determine the name
            of the remote shell command to use when doing remote backups
            (rsh, ssh etc.).  If this variable is not set, rcmd(3) will
            be used, but only root will be able to do remote backups.

Also from the man-page

 Dump cannot do remote backups without being run as root, due to its secu-
 rity history.  Presently, it works if you set it setuid (like it used to
 be), but this might constitute a security risk. Note that you can set RSH
 to use a remote shell program instead.

So the upstream author explicits recommends no suid/sgid bits and
thoughtfully provides an alternative for the few users of non-root network

And comments from the field
Stelian Pop <pop@cybercable.fr>:

For a default setup, I suggest the second method (you can always enable the 
suid-root bit later if needed, after reading the man page and accepting
the security implications).

Someone else said they were one of the few people who used the network
backups as a non-root user, but said they still wished the default was
non-suid due to the security implications.

Pretty please, consider shipping dump,restore,dump.static and
restore.static without any privilege? ;-)

At the very least try it for a public beta and see if anyone complains!


Comment 1 Chris Evans 2000-06-26 23:33:16 UTC
Not fixed in BETA2 - version updated

Incidentally - am I dreaming or is /sbin/dump missing in BETA2?

Comment 2 Preston Brown 2000-06-27 15:58:34 UTC
fixed today, Chris.  thanks.

Comment 3 Matthew Kirkwood 2000-07-19 09:31:20 UTC
The setuid bits are gone, but both executables have group tty.  I guess they
should have group root.

- pedant

Comment 4 Bill Nottingham 2000-07-22 22:18:18 UTC
Hrm, yes. Fixed in dump-0.4b17-8.

Note You need to log in before you can comment on or make changes to this bug.