Bug 12670 - dump/restore - should be OK to lose the suid bits now
dump/restore - should be OK to lose the suid bits now
Status: CLOSED RAWHIDE
Product: Red Hat Linux
Classification: Retired
Component: dump (Show other bugs)
7.1
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2000-06-19 15:28 EDT by Chris Evans
Modified: 2008-05-01 11:37 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2000-07-19 05:31:22 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Chris Evans 2000-06-19 15:28:48 EDT
Hi

Summary says it all really.

To review why dump/restore were originally suid-root, it was to allow
non-root users to do network backups. This required a privileged low port
etc.

Recent versions of dump/restore (including the version shipped with BETA1)
support an alternative mechanism which does _not_ require the binaries
to be suid-root (or sgid I guess). The mechanism is via an environment
variable: RSH.

From the man-page of dump

RSH         Dump uses the contents of this variable to determine the name
            of the remote shell command to use when doing remote backups
            (rsh, ssh etc.).  If this variable is not set, rcmd(3) will
            be used, but only root will be able to do remote backups.

Also from the man-page

 Dump cannot do remote backups without being run as root, due to its secu-
 rity history.  Presently, it works if you set it setuid (like it used to
 be), but this might constitute a security risk. Note that you can set RSH
 to use a remote shell program instead.

So the upstream author explicits recommends no suid/sgid bits and
thoughtfully provides an alternative for the few users of non-root network
backups.

And comments from the field
Stelian Pop <pop@cybercable.fr>:

For a default setup, I suggest the second method (you can always enable the 
suid-root bit later if needed, after reading the man page and accepting
the security implications).
.

Someone else said they were one of the few people who used the network
backups as a non-root user, but said they still wished the default was
non-suid due to the security implications.


Pretty please, consider shipping dump,restore,dump.static and
restore.static without any privilege? ;-)

At the very least try it for a public beta and see if anyone complains!

Chris
Comment 1 Chris Evans 2000-06-26 19:33:16 EDT
Not fixed in BETA2 - version updated

Incidentally - am I dreaming or is /sbin/dump missing in BETA2?
Comment 2 Preston Brown 2000-06-27 11:58:34 EDT
fixed today, Chris.  thanks.
Comment 3 Matthew Kirkwood 2000-07-19 05:31:20 EDT
The setuid bits are gone, but both executables have group tty.  I guess they
should have group root.

Matthew
- pedant
Comment 4 Bill Nottingham 2000-07-22 18:18:18 EDT
Hrm, yes. Fixed in dump-0.4b17-8.

Note You need to log in before you can comment on or make changes to this bug.