Got this bug report at Debian:
----- Forwarded message from Marc Haber <mh+debian-bugs < at > zugschlus.de> -----
From: Marc Haber <mh+debian-bugs < at > zugschlus.de>
Date: Fri, 04 Jun 2004 17:13:17 +0200
Reply-To: Marc Haber <mh+debian-bugs < at > zugschlus.de>, 252654 < at > bugs.debian.org
To: Debian Bug Tracking System <submit < at > bugs.debian.org>
Subject: Bug#252654: rdiff-backup --server gives full discretionary power
Package: rdiff-backup
Version: 0.13.3.jgoerzen-3
Severity: normal
Hi,
first, let me thank you for rdiff-backup. Besides from being written
in python (which I personally hate because it's such a huge
interpreter, leaving a big footprint on the system executing the
program), rdiff-backup is a very nice program. However, there is one
possible security issue.
When backing up a remote system to a local system, rdiff-backup needs
root privileges on the remote side to be able to read everything.
Thus, one is likely to say 'PermitRootLogin forced-commands-only' in
the sshd_config and to use 'command="rdiff-backup --server"' in the
authorized_keys file of the remote system.
However, rdiff-backup --server doesn't have any possibility to
restrict the operation. So, I could easily do a rdiff-backup from the
local box to the remote box, overwriting /etc/shadow and other
interesting files with my local versions. The only security I have
against this is the security of the private key which is an issue on
the local system.
I'd like to have a possibility to control _what_ is allowed on the
remote system, which is the one executing the 'rdist-backup --server'
command. For example, there could be a configuration file that could
in the easiest situation say "this rdist-backup server is only allowed
to do read operations here". In more complicated situations, the
config file could allow writing to one or more subtrees of the
system's file system tree.
I hope that I am making myself clear.
Greetings
Marc
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.6-janeway
Locale: LANG=C, LC_CTYPE=C
Versions of packages rdiff-backup depends on:
ii libc6 2.3.2.ds1-13 GNU C Library: Shared libraries an
ii librsync1 0.9.6-8 Binary diff library based on the r
ii python2.3 2.3.4-1 An interactive high-level object-o
ii rdiff 0.9.6-8 Binary diff tool for signature-bas
-- no debconf information
----- End forwarded message -----
