Re: [Bacula-devel] Restore to directory pointed by a symlink

2018-04-10 Thread Martin Simmons 
> On Tue, 10 Apr 2018 08:32:45 +0200, Radosław Korzeniewski said:
> 
> 2018-04-09 13:42 GMT+02:00 Martin Simmons :
> 
> > Restoring through a symlink can cause a security vulnerability (see
> > https://cwe.mitre.org/data/definitions/61.html).
> >
> 
> I'm not sure if this CWE apply in this situation (I could be wrong) but I
> accept the response. In my opinion it limits the user flexibility on the
> benefit of security - as always. :)

Yes, your symlink is probably secure if you deny changes to /opt and
/opt/bacula-devel, but in other cases the ancestor directories containing the
symlink might be under the control of a non-privileged user.  For example,
/tmp/bacula-restores in the default config, or if a user wants something
restored to /home/user/important-files.

__Martin

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Bacula-devel mailing list
Bacula-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-devel

Re: [Bacula-devel] Restore to directory pointed by a symlink

2018-04-10 Thread Radosław Korzeniewski 
Hello Kern,

2018-04-09 18:19 GMT+02:00 Kern Sibbald :

> I don't think we support symlinks for the restore.  Of course the error
> message is not very explicit.
>
I do not understand your response. I can restore a symlink from backup
without a problem.
I have a problem restoring to the directory pointed by a symlink, no matter
what data I'm restoring.
The Martin Simmons give me a great explanation pointing to the CWE
recommendation.

best regards
-- 
Radosław Korzeniewski
rados...@korzeniewski.net
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Bacula-devel mailing list
Bacula-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-devel

Re: [Bacula-devel] Restore to directory pointed by a symlink

2018-04-10 Thread Radosław Korzeniewski 
Hello Martin,

2018-04-09 13:42 GMT+02:00 Martin Simmons :

> Restoring through a symlink can cause a security vulnerability (see
> https://cwe.mitre.org/data/definitions/61.html).
>

I'm not sure if this CWE apply in this situation (I could be wrong) but I
accept the response. In my opinion it limits the user flexibility on the
benefit of security - as always. :)

Thanks for your response.

best regards
-- 
Radosław Korzeniewski
rados...@korzeniewski.net
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Bacula-devel mailing list
Bacula-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-devel

Re: [Bacula-devel] Restore to directory pointed by a symlink

2018-04-09 Thread Kern Sibbald 

  
  
I don't think we support symlinks for the restore.  Of course the
  error message is not very explicit.



On 04/09/2018 08:58 AM, Radosław
  Korzeniewski wrote:


  Hello,


I have a following setup:

  
  
  
*ver
pve-dir Version: 9.0.6 (20 November 2017)
  x86_64-pc-linux-gnu debian 9.4
  
  
  
  # ls -ld /opt/bacula-devel/archive
  lrwxrwxrwx 1 root root 8 Mar 28 17:03
/opt/bacula-devel/archive -> /archive
  
  
  and my /archive is a mounted external storage.
  
  
  During restore I've got a following errors:
  
  
  Error: mkpath.c:143 /opt/bacula-devel/archive exists but
is not a directory.
  
  Error: create_file.c:223 Could not create
/opt/bacula-devel/archive/bacula-restores/opt/bacula-devel/bin/bsmtp:
ERR=No such file or directory
  
  (...)
  
  
  The first error is partially true. Yes it is not a
directory, it is a symlink. But this symlink points to the
directory, so it should be not a problem to make a restore
here.
  
  
  I'm asking you if this behavior is intentional or is it a
bug? If it is intentional, I'd like to know the reason.
  
  
  best regards 
  -- 
  Radosław Korzeniewski
rados...@korzeniewski.net

  
  
  
  
  --
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
  
  
  
  ___
Bacula-devel mailing list
Bacula-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-devel



  


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Bacula-devel mailing list
Bacula-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-devel

Re: [Bacula-devel] Restore to directory pointed by a symlink

2018-04-09 Thread Martin Simmons 
Restoring through a symlink can cause a security vulnerability (see
https://cwe.mitre.org/data/definitions/61.html).

__Martin


> On Mon, 9 Apr 2018 08:58:42 +0200, Radosław Korzeniewski said:
> 
> Hello,
> 
> I have a following setup:
> 
> *ver
> pve-dir Version: 9.0.6 (20 November 2017) x86_64-pc-linux-gnu debian 9.4
> 
> # ls -ld /opt/bacula-devel/archive
> lrwxrwxrwx 1 root root 8 Mar 28 17:03 /opt/bacula-devel/archive -> /archive
> 
> and my /archive is a mounted external storage.
> 
> During restore I've got a following errors:
> 
> Error: mkpath.c:143 /opt/bacula-devel/archive exists but is not a directory.
> Error: create_file.c:223 Could not create
> /opt/bacula-devel/archive/bacula-restores/opt/bacula-devel/bin/bsmtp:
> ERR=No such file or directory
> (...)
> 
> The first error is partially true. Yes it is not a directory, it is a
> symlink. But this symlink points to the directory, so it should be not a
> problem to make a restore here.
> 
> I'm asking you if this behavior is intentional or is it a bug? If it is
> intentional, I'd like to know the reason.
> 
> best regards
> -- 
> Rados�‚aw Korzeniewski
> rados...@korzeniewski.net

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Bacula-devel mailing list
Bacula-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-devel