os.makedirs Security Violation

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

os.makedirs Security Violation

Mike Bydalek-3
Hello.

I just started playing around with rdiff-backup 1.0.1 and came across a
problem with the --create-full-path option.

Basically, I'm initiating all my backups from the clients (for security
reasons), and therefore am connecting to the backup server as a standard
user.   Below is what I am running, and what I get:

$ rdiff-backup --create-full-path /home/mbydalek/bleh/
backupuser@backupserver::home/mbydalek/bleh
Traceback (most recent call last):
  File "/usr/bin/rdiff-backup", line 23, in ?
    rdiff_backup.Main.Main(sys.argv[1:])
  File "/usr/lib/python2.4/site-packages/rdiff_backup/Main.py", line
283, in Main
    take_action(rps)
  File "/usr/lib/python2.4/site-packages/rdiff_backup/Main.py", line
253, in take_action
    elif action == "backup": Backup(rps[0], rps[1])
  File "/usr/lib/python2.4/site-packages/rdiff_backup/Main.py", line
292, in Backup
    backup_check_dirs(rpin, rpout)
  File "/usr/lib/python2.4/site-packages/rdiff_backup/Main.py", line
332, in backup_check_dirs
    if create_full_path: rpout.makedirs()
  File "/usr/lib/python2.4/site-packages/rdiff_backup/rpath.py", line
801, in makedirs
    self.conn.os.makedirs(self.path)
  File "/usr/lib/python2.4/site-packages/rdiff_backup/connection.py",
line 445, in __call__
    return apply(self.connection.reval, (self.name,) + args)
  File "/usr/lib/python2.4/site-packages/rdiff_backup/connection.py",
line 367, in reval
    if isinstance(result, Exception): raise result
rdiff_backup.Security.Violation:
Warning Security Violation!
Bad request for function: os.makedirs
with arguments: ['home/mbydalek/bleh']

It seems like it doesn't want to create the subdirectories due to a
Security Violation.  Since I am running as a non-privileged user on the
backup server, is that causing the problems?  If not, what could it be?

Thanks,
Mike



_______________________________________________
rdiff-backup-users mailing list at [hidden email]
http://lists.nongnu.org/mailman/listinfo/rdiff-backup-users
Wiki URL: http://rdiff-backup.solutionsfirst.com.au/index.php/RdiffBackupWiki
Reply | Threaded
Open this post in threaded view
|

Re: os.makedirs Security Violation

Keith Edmunds
Mike Bydalek wrote:
> It seems like it doesn't want to create the subdirectories due to a
> Security Violation.  Since I am running as a non-privileged user on the
> backup server, is that causing the problems?

If the user under which you are running on the backup server does not
have the permissions to create the directory tree then yes.

If you have interactive access to the backup server you can try this out
with:

        mkdir -p home/mbydalek/bleh

--
Keith Edmunds

+---------------------------------------------------------------------+
|  Tiger Computing Ltd  |  Helping businesses make the most of Linux  |
|  "The Linux Company"  |    http://www.TheLinuxConsultancy.co.uk     |
+---------------------------------------------------------------------+


_______________________________________________
rdiff-backup-users mailing list at [hidden email]
http://lists.nongnu.org/mailman/listinfo/rdiff-backup-users
Wiki URL: http://rdiff-backup.solutionsfirst.com.au/index.php/RdiffBackupWiki
Reply | Threaded
Open this post in threaded view
|

Re: os.makedirs Security Violation

Mike Bydalek-3
Keith Edmunds wrote:

> Mike Bydalek wrote:
>> It seems like it doesn't want to create the subdirectories due to a
>> Security Violation.  Since I am running as a non-privileged user on
>> the backup server, is that causing the problems?
>
> If the user under which you are running on the backup server does not
> have the permissions to create the directory tree then yes.
>
> If you have interactive access to the backup server you can try this
> out with:
>
>     mkdir -p home/mbydalek/bleh

That's just the thing, the permissions on the backup server are all set
correctly.  The problem isn't with permissions at all because even I
login as root@backupserver, I still get the Security Violation error.

It just seems like this option is broken.  If I try running rdiff-backup
on my client as root and connect to the backup server as root, I get the
same error.

Any other ideas for me to try?  Also, where would I submit a bug report
if this is a bug?

I'm not really familiar with Python too much, so is there a setting or
something that's preventing this from running in a global config somewhere?

Thanks,
Mike



_______________________________________________
rdiff-backup-users mailing list at [hidden email]
http://lists.nongnu.org/mailman/listinfo/rdiff-backup-users
Wiki URL: http://rdiff-backup.solutionsfirst.com.au/index.php/RdiffBackupWiki
Reply | Threaded
Open this post in threaded view
|

Re: os.makedirs Security Violation

Keith Edmunds
Mike Bydalek wrote:
> That's just the thing, the permissions on the backup server are all set
> correctly.  The problem isn't with permissions at all because even I
> login as root@backupserver, I still get the Security Violation error.

If you login interactively can you then exectute 'mkdir -p
home/mbydalek/bleh'?

> It just seems like this option is broken.  If I try running rdiff-backup
> on my client as root and connect to the backup server as root, I get the
> same error.

Please try it without rdiff-backup (as above). I use this option on a
number of servers every night, so whilst it may not be bug-free, it
isn't completely broken.

> Any other ideas for me to try?  Also, where would I submit a bug report
> if this is a bug?

Yes: try the interactive command as the user that runs rdiff-backup on
the server. If it fails then please post the full output here. Bug
reports can be made at the rdiff-backup homepage, but seeing as I wrote
that particular option I'm happy to discuss it here.

> I'm not really familiar with Python too much, so is there a setting or
> something that's preventing this from running in a global config somewhere?

Unlikely.

Keith


_______________________________________________
rdiff-backup-users mailing list at [hidden email]
http://lists.nongnu.org/mailman/listinfo/rdiff-backup-users
Wiki URL: http://rdiff-backup.solutionsfirst.com.au/index.php/RdiffBackupWiki
Reply | Threaded
Open this post in threaded view
|

Re: os.makedirs Security Violation

Mike Bydalek-3
Keith Edmunds wrote:
> Mike Bydalek wrote:
>> That's just the thing, the permissions on the backup server are all
>> set correctly.  The problem isn't with permissions at all because
>> even I login as root@backupserver, I still get the Security Violation
>> error.
>
> If you login interactively can you then exectute 'mkdir -p
> home/mbydalek/bleh'?
Yes, I can do this with no problem, especially when I login as root ;)  
Sorry, I meant to include this in my other e-mail, but assumed it would
be inferred when I was able to login as root.
>
>> It just seems like this option is broken.  If I try running
>> rdiff-backup on my client as root and connect to the backup server as
>> root, I get the same error.
>
> Please try it without rdiff-backup (as above). I use this option on a
> number of servers every night, so whilst it may not be bug-free, it
> isn't completely broken.

I suppose I *could* do a mkdir -p, but it just seems redundant to do.  
Sure, it's no problem to check if the directory exists and create it,
but still, the man page says it should work =P

-Mike


_______________________________________________
rdiff-backup-users mailing list at [hidden email]
http://lists.nongnu.org/mailman/listinfo/rdiff-backup-users
Wiki URL: http://rdiff-backup.solutionsfirst.com.au/index.php/RdiffBackupWiki
Reply | Threaded
Open this post in threaded view
|

Re: os.makedirs Security Violation

Keith Edmunds
Mike Bydalek wrote:
> I suppose I *could* do a mkdir -p, but it just seems redundant to do.

I didn't mean to suggest that you should manually create directories -
as you say, that's the whole point of this switch in rdiff-backup. That
said, this option is very simply implemented, and I can see no reason
why user X shoudl be able to successfully create multiple directory
paths in one go using 'mkdir' but not using 'os.makedirs' in Python.

Please try this whilst logged into the backup server *as the user who
runs rdiff-backup* - let me stress, it MUST be as the user who
experienced the original problem ("backupuser" in your original posting):

$ python
 >>> import os
 >>> os.makedirs('/home/mbydalek/x/y/z')
 >>> ^D

...and let me know what happens. You can remove the superflous
directories after with "rm -r /home/mbydalek/x".

Keith

--
Keith Edmunds

+---------------------------------------------------------------------+
|  Tiger Computing Ltd  |  Helping businesses make the most of Linux  |
|  "The Linux Company"  |    http://www.TheLinuxConsultancy.co.uk     |
+---------------------------------------------------------------------+


_______________________________________________
rdiff-backup-users mailing list at [hidden email]
http://lists.nongnu.org/mailman/listinfo/rdiff-backup-users
Wiki URL: http://rdiff-backup.solutionsfirst.com.au/index.php/RdiffBackupWiki
Reply | Threaded
Open this post in threaded view
|

Re: os.makedirs Security Violation

Mike Bydalek-3
Keith Edmunds wrote:

> Mike Bydalek wrote:
>> I suppose I *could* do a mkdir -p, but it just seems redundant to do.
>
> Please try this whilst logged into the backup server *as the user who
> runs rdiff-backup* - let me stress, it MUST be as the user who
> experienced the original problem ("backupuser" in your original posting):
>
> $ python
> >>> import os
> >>> os.makedirs('/home/mbydalek/x/y/z')
> >>> ^D
>
> ...and let me know what happens. You can remove the superflous
> directories after with "rm -r /home/mbydalek/x".
Since I am doing it relative to backupuser's home directory, I left out
the first /.  That said, the code above worked just fine.

-Mike


_______________________________________________
rdiff-backup-users mailing list at [hidden email]
http://lists.nongnu.org/mailman/listinfo/rdiff-backup-users
Wiki URL: http://rdiff-backup.solutionsfirst.com.au/index.php/RdiffBackupWiki
Reply | Threaded
Open this post in threaded view
|

Re: os.makedirs Security Violation

Keith Edmunds
Mike Bydalek wrote:
> Since I am doing it relative to backupuser's home directory, I left out
> the first /.  That said, the code above worked just fine.

Well, I'm not sure what to say - that is exactly the code that
rdiff-backup is using.

Ben, do you have any ideas?

Keith


_______________________________________________
rdiff-backup-users mailing list at [hidden email]
http://lists.nongnu.org/mailman/listinfo/rdiff-backup-users
Wiki URL: http://rdiff-backup.solutionsfirst.com.au/index.php/RdiffBackupWiki
Reply | Threaded
Open this post in threaded view
|

Re: os.makedirs Security Violation

Ben Escoto
In reply to this post by Mike Bydalek-3
>>>>> Mike Bydalek <[hidden email]>

>>>>> wrote the following on Thu, 20 Oct 2005 10:14:09 -0700
> > $ python
> > >>> import os
> > >>> os.makedirs('/home/mbydalek/x/y/z')
> > >>> ^D
> >
> > ...and let me know what happens. You can remove the superflous
> > directories after with "rm -r /home/mbydalek/x".
> Since I am doing it relative to backupuser's home directory, I left out
> the first /.  That said, the code above worked just fine.
The "security violation" is raised by rdiff-backup's internal security
scheme.  Recently (v1.0.0?) a hole was plugged in it, and as an
unintended consequence some options like --create-full-path may now
cause false positives.

Please run rdiff-backup again with -v7 and post all the traceback
information it spews before the crash.


--
Ben Escoto

_______________________________________________
rdiff-backup-users mailing list at [hidden email]
http://lists.nongnu.org/mailman/listinfo/rdiff-backup-users
Wiki URL: http://rdiff-backup.solutionsfirst.com.au/index.php/RdiffBackupWiki

attachment0 (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: os.makedirs Security Violation

Mike Bydalek-3
Ben Escoto wrote:

>>>>>> Mike Bydalek <[hidden email]>
>>>>>> wrote the following on Thu, 20 Oct 2005 10:14:09 -0700
>>>>>>            
>>> $ python
>>>      
>>>>>> import os
>>>>>> os.makedirs('/home/mbydalek/x/y/z')
>>>>>> ^
>>>>>>            
>
> Please run rdiff-backup again with -v7 and post all the traceback
> information it spews before the crash

Here's the -v7 as requested.

-Mike

$ rdiff-backup -v7 --create-full-path /home/mbydalek/bleh/
backupserver::home/mbydalek/bleh
Executing ssh -C backupserver rdiff-backup --server
Registering connection 1
Making directory path home/mbydalek/bleh
Sending back exception
Warning Security Violation!
Bad request for function: os.makedirs
with arguments: ['home/mbydalek/bleh']
 of type rdiff_backup.Security.Violation:
  File "/usr/lib/python2.3/site-packages/rdiff_backup/connection.py",
line 333, in answer_request
    Security.vet_request(request, argument_list)
  File "/usr/lib/python2.3/site-packages/rdiff_backup/Security.py", line
205, in vet_request
    raise_violation(request, arglist)
  File "/usr/lib/python2.3/site-packages/rdiff_backup/Security.py", line
186, in raise_violation
    raise Violation("\nWarning Security Violation!\n"

Traceback (most recent call last):
  File "/usr/bin/rdiff-backup", line 23, in ?
    rdiff_backup.Main.Main(sys.argv[1:])
  File "/usr/lib/python2.4/site-packages/rdiff_backup/Main.py", line
283, in Main
    take_action(rps)
  File "/usr/lib/python2.4/site-packages/rdiff_backup/Main.py", line
253, in take_action
    elif action == "backup": Backup(rps[0], rps[1])
  File "/usr/lib/python2.4/site-packages/rdiff_backup/Main.py", line
292, in Backup
    backup_check_dirs(rpin, rpout)
  File "/usr/lib/python2.4/site-packages/rdiff_backup/Main.py", line
332, in backup_check_dirs
    if create_full_path: rpout.makedirs()
  File "/usr/lib/python2.4/site-packages/rdiff_backup/rpath.py", line
801, in makedirs
    self.conn.os.makedirs(self.path)
  File "/usr/lib/python2.4/site-packages/rdiff_backup/connection.py",
line 445, in __call__
    return apply(self.connection.reval, (self.name,) + args)
  File "/usr/lib/python2.4/site-packages/rdiff_backup/connection.py",
line 367, in reval
    if isinstance(result, Exception): raise result
rdiff_backup.Security.Violation:
Warning Security Violation!
Bad request for function: os.makedirs
with arguments: ['home/mbydalek/bleh']

mbydalek@localhost ~ $ Traceback (most recent call last):
  File "/usr/bin/rdiff-backup", line 23, in ?
    rdiff_backup.Main.Main(sys.argv[1:])
  File "/usr/lib/python2.3/site-packages/rdiff_backup/Main.py", line
283, in Main
    take_action(rps)
  File "/usr/lib/python2.3/site-packages/rdiff_backup/Main.py", line
251, in take_action
    connection.PipeConnection(sys.stdin, sys.stdout).Server()
  File "/usr/lib/python2.3/site-packages/rdiff_backup/connection.py",
line 352, in Server
    self.get_response(-1)
  File "/usr/lib/python2.3/site-packages/rdiff_backup/connection.py",
line 314, in get_response
    try: req_num, object = self._get()
  File "/usr/lib/python2.3/site-packages/rdiff_backup/connection.py",
line 230, in _get
    raise ConnectionReadError("Truncated header string (problem "
rdiff_backup.connection.ConnectionReadError: Truncated header string
(problem probably originated remotely)



_______________________________________________
rdiff-backup-users mailing list at [hidden email]
http://lists.nongnu.org/mailman/listinfo/rdiff-backup-users
Wiki URL: http://rdiff-backup.solutionsfirst.com.au/index.php/RdiffBackupWiki
Reply | Threaded
Open this post in threaded view
|

Re: os.makedirs Security Violation

Ben Escoto
>>>>> Mike Bydalek <[hidden email]>
>>>>> wrote the following on Fri, 21 Oct 2005 15:07:45 -0700

> Here's the -v7 as requested.

The little patch at:

http://savannah.nongnu.org/cgi-bin/viewcvs/rdiff-backup/rdiff-backup/rdiff_backup/Security.py.diff?r2=1.25.2.1&r1=1.25&diff_format=u

should fix the problem.


--
Ben Escoto

_______________________________________________
rdiff-backup-users mailing list at [hidden email]
http://lists.nongnu.org/mailman/listinfo/rdiff-backup-users
Wiki URL: http://rdiff-backup.solutionsfirst.com.au/index.php/RdiffBackupWiki

attachment0 (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: os.makedirs Security Violation

Ben Escoto
>>>>> Ben Escoto <[hidden email]>
>>>>> wrote the following on Fri, 21 Oct 2005 21:47:36 -0500
>
> The little patch at:
>
> http://savannah.nongnu.org/cgi-bin/viewcvs/rdiff-backup/rdiff-backup/rdiff_backup/Security.py.diff?r2=1.25.2.1&r1=1.25&diff_format=u
>
> should fix the problem.

Oops, too little, I forgot a spot.  You need:

http://savannah.nongnu.org/cgi-bin/viewcvs/rdiff-backup/rdiff-backup/rdiff_backup/Security.py.diff?r2=1.25.2.2&only_with_tag=r1-0&r1=1.25.2.1&diff_format=u

also.  After that I think it should be ok.


--
Ben Escoto

_______________________________________________
rdiff-backup-users mailing list at [hidden email]
http://lists.nongnu.org/mailman/listinfo/rdiff-backup-users
Wiki URL: http://rdiff-backup.solutionsfirst.com.au/index.php/RdiffBackupWiki

attachment0 (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: os.makedirs Security Violation

Mike Bydalek-3
Ben Escoto wrote:

>>>>>> Ben Escoto <[hidden email]>
>>>>>> wrote the following on Fri, 21 Oct 2005 21:47:36 -0500
>>>>>>            
>> The little patch at:
>>
>> http://savannah.nongnu.org/cgi-bin/viewcvs/rdiff-backup/rdiff-backup/rdiff_backup/Security.py.diff?r2=1.25.2.1&r1=1.25&diff_format=u
>>
>> should fix the problem.
>>    
>
> Oops, too little, I forgot a spot.  You need:
>
> http://savannah.nongnu.org/cgi-bin/viewcvs/rdiff-backup/rdiff-backup/rdiff_backup/Security.py.diff?r2=1.25.2.2&only_with_tag=r1-0&r1=1.25.2.1&diff_format=u
>
> also.  After that I think it should be ok.
>  
Nice call.  I was literally in the process of writing an e-mail, and
just got back to the computer to see your e-mail waiting ;)

Using both of these did the trick and --create-full-path works as
expected now.

-Mike


_______________________________________________
rdiff-backup-users mailing list at [hidden email]
http://lists.nongnu.org/mailman/listinfo/rdiff-backup-users
Wiki URL: http://rdiff-backup.solutionsfirst.com.au/index.php/RdiffBackupWiki