Re: We need a decent role based way to get backup privilleges

From: Joerg Schilling (js_at_cs.tu-berlin.de)
Date: 05/11/04 

Date: 11 May 2004 12:38:20 GMT

In article <c7qg4a$2thm$2@nyheter.ipsec.se>, <phn@icke-reklam.ipsec.nu> wrote:

>> Backups done by ufsdump either need root access as you would
>> need with a clean backup design that honors layering, or it
>> gets the permission by bypassing all UNIX access control in case
>> the disk device is readable by a non root user.
>
>How utterly wrong. BSD 'operator' has read access to raw-disks
>and may consequently perform backup using 'dump'

'ufsdump' is utterly wrong (because it breaks the layering model
and accesses file system data the wrong way) and it is incredibly
slow compared to "star"

ftp://ftp.berlios.de/pub/star/alpha/

Circumventing the UNIX security model by accessing the raw disk
is just wrong.

>> Now that it has been proven that clean backup implemenataions
>> like "star" that honor layering can do anything that ufsdump
>> may do and in addition be much faster than ufsdump, I believe it't
>> time to change the mind and find a way to allow a non-root user
>> to run backups by accessing the filesystem cleanly through
>> the OS FS implementation.
>
>See this as a limitation that a utility that reads files
>"from above" has to obey ACL and permissions, whereas a utility
>that reads from "below" ( like dump) can do full backups
>without needing permissions. In addition "file access times"
>are not corrupted.

A decent OS is able to grant the Backup Operator the rights he needs
in a decent way and not by just allowing him to circumvent the security
model. On a decent OS, you may tell the OS not to modify
"file access times" when a backup is done.

Star is already able to tell Solaris not to modify the "file access times"
if it is run as root. Unfortunately, the Sun RBAC privileges(5) model
does not yet include a privillege tag for allowing this to non-root
users.
 

>> What would need is a RBAC way to tell the filesystem code in the
>> kernel that a specific application should have the permission
>> to read all files.
>
>Seems like a security risk to mee.

It is a smaller security risk than the outdated UNIX dump model implies.

>Seems to me a complicated way that introduces yet another
>security hazard. Either you trust root or not. If you don't
>trust root there is no where to go... Protecting the raw-devices
>in contrast means to guard a simple mechanism that is proven
>and well-understood and exists in all forms of un*x

It is a way to _limit_ the possible security hazard by creating
a decent security mode. 

-- 
EMail:joerg@schily.isdn.cs.tu-berlin.de (home) Jörg Schilling D-13353 Berlin
      js@cs.tu-berlin.de		(uni)  If you don't have iso-8859-1
      schilling@fokus.fraunhofer.de	(work) chars I am J"org Schilling
URL:  http://www.fokus.fraunhofer.de/usr/schilling ftp://ftp.berlios.de/pub/schily