Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 25 Sep 1999 22:16:52 -0400 (EDT)
From:      Garrett Wollman <wollman@khavrinen.lcs.mit.edu>
To:        cjclark@home.com
Cc:        dillon@apollo.backplane.com (Matthew Dillon), freebsd-security@FreeBSD.ORG
Subject:   Re: dump(8) Insecurity/Misconfiguration
Message-ID:  <199909260216.WAA02587@khavrinen.lcs.mit.edu>
In-Reply-To: <199909260203.WAA48170@cc942873-a.ewndsr1.nj.home.com>
References:  <199909260034.RAA59356@apollo.backplane.com> <199909260203.WAA48170@cc942873-a.ewndsr1.nj.home.com>

next in thread | previous in thread | raw e-mail | index | archive | help
<<On Sat, 25 Sep 1999 22:03:23 -0400 (EDT), "Crist J. Clark" <cjc@cc942873-a.ewndsr1.nj.home.com> said:

>     "Dump cannot do remote backups without being run as root, due to its secu-
>      rity history.  This will be fixed in a later version of FreeBSD. Present-
>      ly, it works if you set it setuid (like it used to be), but this might
>      constitute a security risk."

Oof!  Really awful language for a manual page.  (Manual pages should
never use the second person.)

> And I often do dumps to tape drives that are not local.

Kerberos-authenticated remote dumps will still work without special
privileges (obviously!).  I'm in group operator on my desktop machine
so that I can easily perform remote dumps (since nobody here is so
stupid as to give root a .rhosts file).

If you care about security, and you are not running Kerberos, you
should not be using rdump -- use regular dump and ssh instead.  (Well,
unless you have trouble with licensing the RSA patent....)

-GAWollman

--
Garrett A. Wollman   | O Siem / We are all family / O Siem / We're all the same
wollman@lcs.mit.edu  | O Siem / The fires of freedom 
Opinions not those of| Dance in the burning flame
MIT, LCS, CRS, or NSA|                     - Susan Aglukark and Chad Irschick


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199909260216.WAA02587>