Backup Central

Hello,
I'm testing the new archive capabilities of backuppc

but when i try to test this using the cgi i've got this error after
hitting the archives selected host button
I join my host, config.pl and archive.pl wich are all in
/var/lib/backuppc/conf directory

I'm sure i miss something but can't find it

thank for your help


Software error:

Insecure dependency in require while running setuid at /usr/share/backuppc/lib/BackupPC/Lib.pm line 348.

For help, please send mail to the webmaster (webmaster < at > localhost
<mailto:webmaster < at > localhost>), giving this error message and the time
and date of the error.




Alias /backuppc/ /usr/share/backuppc/cgi-bin/


<Directory /usr/share/backuppc/cgi-bin/>
AllowOverride None

Options ExecCGI FollowSymlinks
AddHandler cgi-script .cgi
AuthGroupFile /var/lib/backuppc/conf/htgroup
AuthUserFile /var/lib/backuppc/conf/htpasswd
AuthType basic
AuthName "BackupPC admin"
require valid-user

</Directory>

zorg writes:

I'm testing the new archive capabilities of backuppc

but when i try to test this using the cgi i've got this error after
hitting the archives selected host button
I join my host, config.pl and archive.pl wich are all in
/var/lib/backuppc/conf directory

I'm sure i miss something but can't find it

thank for your help

Software error:

Insecure dependency in require while running setuid at /usr/share/backuppc/lib/BackupPC/Lib.pm line 348.

This is a bug. The host name is not being untainted, which matters
when the CGI script is setuid. Here's a patch.

Craig

--- lib/BackupPC/CGI/Lib.pm Sat Jun 19 19:28:08 2004
+++ lib/BackupPC/CGI/Lib.pm Wed Jun 23 00:15:16 2004
< at > < at > -154,6 +154,15 < at > < at >
{map {$_, 1} split(",", $Hosts->{$host}{moreUsers}) }
}
}
+
+ #
+ # Untaint the host name
+ #
+ if ( $In{host} =~ /^([\w.\s-]+)$/ ) {
+ $In{host} = $1;
+ } else {
+ delete($In{host});
+ }
}

sub timeStamp2


-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
digital self defense, top technical experts, no vendor pitches,
unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
BackupPC-users mailing list
BackupPC-users < at > lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/backuppc-users
http://backuppc.sourceforge.net/

On Wed, 2004-06-23 at 02:24, Craig Barratt wrote:

Insecure dependency in require while running setuid at /usr/share/backuppc/lib/BackupPC/Lib.pm line 348.

This is a bug. The host name is not being untainted, which matters
when the CGI script is setuid. Here's a patch.

A couple more nits:

1) After applying this patch it complained about
not finding /usr/bin/par2 as an executable even though I only set
up a tape archive which shouldn't need it.

2) Doing compression to a tape that expects full blocks will fail as
the last block isn't padded. With compression = none it works so
the tar image must be padded. The default on Linux for a dds tape
seems to be 512 byte blocks but maybe there should be an option to
pipe through dd with some obs=size setting to permit reblocking, or
through one of those programs that buffers and attempts to keep the
tape streaming.

---
Les Mikesell
les < at > futuresource.com