[Box Backup] Symlink error in bbackupd?

Chris Wilson boxbackup@fluffy.co.uk
Mon, 5 Nov 2007 23:25:28 +0000 (GMT) 

Hi Hans-Joachim,

On Mon, 5 Nov 2007, Hans-Joachim Baader wrote:

> The user visible message is:
> Exception: Common OSFileError (Error accessing a file. Check permissions.) (1/9)
>
> I can reproduce it if on the host where I extract the backup exists
> a directory in the root directory tree with the same name as the
> directory to be extracted and the permissions of this directory don't
> allow access. I know it sounds bizarre but it was a real problem for me
> while verifying the backup. In order to do this, I had to copy the
> config files of the client and make them accessible to the user that
> verifies the backups (not root). Here's how to reproduce it:
>
> On the client:
>
> mkdir -p /root/a/dir
> chmod 0700 /root/a
> echo 1234 > /root/a/dir/1234
> mkdir /root/b
> ln -s /root/a/dir /root/b/dir
> bbackupctl sync
>
> On the extraction host the directory /root/a must also exist. If it
> doesn't, all goes well!
>
> mkdir -p /root/a/dir
> chmod 0700 /root/a
>
> Then extract the backup as unprivileged user:
>
> strace shows:
>
> 25062 unlink("root/b/dir")              = 0
> 25062 symlink("/root/a/dir", "root/b/dir") = 0
> 25062 geteuid32()                       = 1000
> 25062 close(4)                          = 0
> 25062 write(1, ".", 1)                  = 1
> 25062 stat64("root/b/dir", 0xbfe58830)  = -1 EACCES (Permission denied)
> 25062 close(3)                          = 0
> 25062 write(1, "Exception: Common OSFileError (Error accessing a file. Check permissions.) (1/9)\n", 81) = 81
>
> The second line is correct, it restores the symlink. But it has no
> business to execute line 6: It follows a link it shouldn't.

Thanks for the detailed report, I've found and fixed the bug now. Will get 
it into trunk as soon as I can write to Subversion again.

I don't regard this as much of a security vulnerability, because we're 
only checking whether the file exists (after restoring it) but we should 
have used lstat() instead of stat(). If you happened to be able to look 
over Root's shoulder when he's restoring the files, you could use it to 
determine whether an arbitrary file exists or not :-)

Cheers, Chris.
-- 
_____ __     _
\  __/ / ,__(_)_  | Chris Wilson <0000 at qwirx.com> - Cambs UK |
/ (_/ ,\/ _/ /_ \ | Security/C/C++/Java/Perl/SQL/HTML Developer |
\ _/_/_/_//_/___/ | We are GNU-free your mind-and your software |