Bug 24441 - backuppc creates backups in directories with world writeable permission, patching rsync-bpc fixes that.
Summary: backuppc creates backups in directories with world writeable permission, patc...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: RPM Packages (show other bugs)
Version: Cauldron
Hardware: All Linux
Priority: Normal critical
Target Milestone: Mageia 7
Assignee: Guillaume Rousse
QA Contact:
URL:
Whiteboard:
Keywords: PATCH, UPSTREAM
Depends on:
Blocks:
 
Reported: 2019-02-28 09:46 CET by Marja Van Waes
Modified: 2019-03-04 22:17 CET (History)
4 users (show)

See Also:
Source RPM: rsync-bpc-3.0.9.8-3.mga7, backuppc-4.3.0-1.mga7
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Marja Van Waes 2019-02-28 09:46:11 CET 
+++ This bug was initially created as a clone of Bug #24010 +++


(In reply to Juergen Harms from bug #24010, comment #16)

> 
> 3. Bug re-opened because backuppc-4.3.0 (as did 4.1.3) creates directories
> for backed-up data with world-write permission (directories under
> /var/lib/backuppc/pc/...)
> 
<snip>
> 
> 4. Simple patch provided as a workaround for this problem (attachment 10721 [details]
> [details], comments 9 and 12). Locally builds and works fine and does not
> mess up the backup storage any more.
> 
> 5. Present situation:
> 
> Unpatched backuppc-4.3.0
>  - works smoothly, but creates backup data in /var/lib/backuppc/pc/... in
> directories that have world write permission;
>  - this is not dramatic as long as /var/lib/backuppc/ does not have
> world-execute permission, or as backup-up data are not exported; but
> backed-up data are kept over years, and accumulating directories with
> non-perfect protection is bad security
> 
> Patched backuppc-4.3.0 stops the world-write problem (it is a very local
> patch that cannot have side-effects).
> 

Thanks for your concern, Jürgen.

I'll close the original bug, because that issue got fixed and the requested update was done, too (thanks for that, David and Shlomi!)
Comment 1 Marja Van Waes 2019-02-28 10:01:21 CET 
Btw, Jürgen, your patch seems to be for rsync-bpc-3.0.9.8

Should I have assigned this bug to that tool instead of to backuppc?
Comment 2 Marja Van Waes 2019-02-28 10:04:31 CET 
(In reply to Marja Van Waes from comment #1)
> Btw, Jürgen, your patch seems to be for rsync-bpc-3.0.9.8
> 
> Should I have assigned this bug to that tool instead of to backuppc?

The patch itself is for ./backuppc/bpc_dirOps.c
But when you uploaded it, that comment https://bugs.mageia.org/show_bug.cgi?id=24010#c10 spoke of rync-bpc, that confused me, sorry.
Comment 3 Juergen Harms 2019-03-01 20:18:05 CET 
> Btw, Jürgen, your patch seems to be for rsync-bpc-3.0.9.8

Right, the problem is caused in rsync-bpc-3.0.9.8 - I only became conscious that backuppc uses its own rsync when I started digging into backuppc, but did not clarify this in my comments - extremely sorry.

> The patch itself is for ./backuppc/bpc_dirOps.c
> But when you uploaded it, that comment https://bugs.mageia.org
> /show_bug.cgi?id=24010#c10 spoke of rync-bpc, that confused me, sorry.

In the context of the diff file, "backuppc" is the name a directory in the source code - confusing

> Should I have assigned this bug to that tool instead of to backuppc?

The implementation of BackupPC is organized in 3 packages (backuppc, perl-BackupPC-XS, rsync-bpc). If somebody has a problem with backuppc and files a bug, he/she normally sees "a bug of backuppc" and will file the bug on backupp without knowing which component is at fault. I think that filing all bugs on "backuppc" is clearer and makes searching more efficient (perl-BackupPC-XS and rsync-bpc are, to my knowledge, not used outside the context of backuppc).

In the meantime, I have a new problem, backuppc stopped working - I guess that came with one of the recent updates of cauldron. I will try to get evidence starting with a clean install of Beta2 - helas, expensive in time; if necessary, I will submit a new bug.
Comment 4 Juergen Harms 2019-03-02 19:02:07 CET 
The new problem was home-made - no problem
Comment 5 Marja Van Waes 2019-03-03 00:09:14 CET 
(In reply to Juergen Harms from comment #3)
> > Btw, Jürgen, your patch seems to be for rsync-bpc-3.0.9.8
> 
> Right, the problem is caused in rsync-bpc-3.0.9.8 - I only became conscious
> that backuppc uses its own rsync when I started digging into backuppc, but
> did not clarify this in my comments - extremely sorry.
> 
> > The patch itself is for ./backuppc/bpc_dirOps.c
> > But when you uploaded it, that comment https://bugs.mageia.org
> > /show_bug.cgi?id=24010#c10 spoke of rync-bpc, that confused me, sorry.
> 
> In the context of the diff file, "backuppc" is the name a directory in the
> source code - confusing
> 
> > Should I have assigned this bug to that tool instead of to backuppc?
> 
> The implementation of BackupPC is organized in 3 packages (backuppc,
> perl-BackupPC-XS, rsync-bpc). If somebody has a problem with backuppc and
> files a bug, he/she normally sees "a bug of backuppc" and will file the bug
> on backupp without knowing which component is at fault. I think that filing
> all bugs on "backuppc" is clearer and makes searching more efficient
> (perl-BackupPC-XS and rsync-bpc are, to my knowledge, not used outside the
> context of backuppc).
> 

Thanks for the explanation :-)

rsync-bpc is maintained by guillomovitch, I'll reassign this report to him.

(The patch can be found in attachment #10721 [details] )

Keywords: (none) => PATCH
Source RPM: backuppc-4.3.0-1.mga7 => rsync-bpc-3.0.9.8-3.mga7, backuppc-4.3.0-1.mga7
Assignee: shlomif => guillomovitch
Summary: backuppc creates backups in directories with world writeable permission => backuppc creates backups in directories with world writeable permission, patching rsync-bpc fixes that.

Comment 6 Guillaume Rousse 2019-03-03 15:50:52 CET 
The patch hardcodes a specific permission scheme (0770) when creating directories, instead of changing the value of ACCESSPERMS (0777) in rsync.h. It would be simpler to just build with -DACCESSPERMS defined, with better consistency with other usage elsewhere. Anyway, I don't feel comfortable with both solution, and think the issue should be discussed upstream instead.

I may eventually report the issue myself on github (https://github.com/backuppc/rsync-bpc/issues), but I don't think I have much added value as intermediate, Juergen would probably be a better advocate for the problem.

Status: NEW => ASSIGNED

Comment 7 Juergen Harms 2019-03-03 21:52:40 CET 
> The patch hardcodes a specific permission scheme (0770) when creating
> directories, instead of changing the value of ACCESSPERMS (0777) in rsync.h
> ...

That would be the patch I had originally considered - I then preferred using a local constant since this does not risk the patch to have undesired side-effects elsewhere (and since the patch is only meant as a temporary workaround and does not aim at permanently fixing the underlying bug).

If my reading of the code is right, the original problem is a problem of handling umask: umask is set by the server as configured by $Conf{UmaskMode} (027) last thing before calling the client. This mask is then read by the client when it starts. The client remembers the initial value, but than goes ahead and modifies umask whenever need arrives. I guess that the logic in bpc_dirOps of using the value of 0777 (ACCESSPERMS) is that the permissions of directories are set under the assumption that umask has the originally set value - which it does not. This is a problem to be tackled by upstream (a promising approach could be to temporarily restore the originally memorized value of umask while the creating of a directory is launched)

For Mageia-7 I see 3 alternatives:
1. Provide backuppc-4.3.0 as it comes from upstream, arguing that backing up into world-writable directories is no problem as long as these directories are below a top-level directory which does not have world-permission for traversal.
2. Release Mageia-7 with backuppc version-3 (directory permissions are OK there).
3. Patch backuppc-4.3.0 in a way that - without fixing the underlying bug - backuppc writes properly protected directories.

Rather than shouting "bug" I had wanted to be constructive; I have no preference whatever whether "my patch" or any other approach is used (the essential effort anyhow was to clarify what goes wrong and creates the bad permissions); but I am of the strong opinion that alternative (1) is not adequate.

Guillaume, what alternative do you prefer? If we opt for (3), and seeing the upstream responsiveness I think Mageia should have some workaround available. Having watched the backuppc ML for a long time, my impression is that upstream responsiveness is strongly varying, and depends to a large degree on the time Craig Barrat has available for BackupPC.

I just created an issue at github https://github.com/backuppc/rsync-bpc/issues/9; I had already made a post in the backuppc user ML (the most active platform for communications with site administrators of backuppc) 2 weeks ago  - no reaction
Marja Van Waes 2019-03-04 08:31:08 CET

Keywords: (none) => UPSTREAM
Target Milestone: --- => Mageia 7
See Also: (none) => https://github.com/backuppc/rsync-bpc/issues/9

Comment 8 Juergen Harms 2019-03-04 10:30:34 CET 
Yesterday (Sunday) evening rsync-bpc-3.1.2.0-1 arrived on the mirrors. I now upgraded from rysnc-bpc-3.0.9.8-3 to this new (and unpatched) version and manually  launched a backup operation: no more  world-writable directories have been created.

Much ado about nothing, problem apparently solved. I have to run away now and will have time for more checking only later, please leave the bug still open.
Comment 9 Juergen Harms 2019-03-04 17:12:10 CET 
Looks perfect, OK to close
Comment 10 Guillaume Rousse 2019-03-04 22:17:34 CET 
Fixed, as per comment #9.

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.