Remote dumps as root (was Re: Why does "root" worn everything?)

[karish]

In article <1610 at pinney.munsell.UUCP> pz at pinney.UUCP (Paul Czarnecki) writes:
>
>I asked Sun what to do about this.  (Isn't software support wonderful)
>They just told me to make /etc/dump setuid root, setgid operator.
>None of my backups are done by someone logging in as root.
>
>Was this stupid?

This advice isn't stupid, but it's also not complete.

There is an important security issue here, which setuid programs alone
don't solve.  The rdump command gets acess to the remote tape drive by
using the rcmd() library function, with "root" as the remuser
argument.  The hosts.equiv mechanism typically denies transparent
remote access to root.

This denial is a Good Thing, since it means that if security is
compromised on one machine, peers may still be safe.

The fix is to use a special user ID, perhaps 'operator' or 'system', to
run the remote process.  This is easy if you have source.  It's
probably possible to patch the rdump binary to change the string 'root'
in the parameter list for rcmd(); the string only shows up once in my
(4.3BSD/SULTRIX) rdump executable.

The rdump executable should still be a setuid program, setgid to a group
of trusted users, with no execute permission for others.

This configuration worked for us between two (4.2BSD) VAXen at the
Stanford School of Earth Sciences, when one of our tape drives broke.
I think the UCSF computer center uses the same scheme to back up a
client's Sun disk server from a computer center VAX.

I hope this helps.

Chuck