#20262 Project web content issue: amanda

closed
Jacob Moorman
5
2001-10-29
2001-10-16
Todd Kover
No

Our web hierarchy (/home/groups/a/am/amanda) seems to
have completely disappeared and we're not quite sure
what
happened to it.

We've restored what we can from our CVS repository
where much of it lives, but we weren't keeping an
offsite copy of the hierarchy so we can't regenerate a
lot of it.

Did something happen such that it would disappear? Is
there any way we can it back?

It disappeared on October 9.

It's a little embarassing to tell people that the
AMANDA project didn't do backups. :-)

thanks,
-Todd

Discussion

  • Trae McCombs
    Trae McCombs
    2001-10-16

    • assigned_to: nobody --> moorman
    • milestone: 104417 --> Second Level Support
     
  • Jacob Moorman
    Jacob Moorman
    2001-10-19

    • summary: web hierarchy disappeared --> Project web content issue
    • priority: 5 --> 8
     
  • Jacob Moorman
    Jacob Moorman
    2001-10-22

    • summary: Project web content issue --> Project web content issue: amanda
     
  • Jacob Moorman
    Jacob Moorman
    2001-10-22

    Logged In: YES
    user_id=152443

    Resolution of this support request is currently pending;
    additional information will be posted to this support
    request in the next 24 hours. Thank you for your patience.

     
  • Jacob Moorman
    Jacob Moorman
    2001-10-23

    Logged In: YES
    user_id=152443

    Greetings,

    It is the goal of SourceForge.net to provide services to
    projects within the Open Source software development
    community. SourceForge.net has a limited set of resources
    available with which to provide these services; with this in
    mind, we have taken steps we feel appropriate for handling
    this particular issue. Your comments are welcome, and may
    be submitted as a comment to this support request.

    WHAT HAPPENED?

    As stated, the hosting environment used by SourceForge.net
    is driven by a single user account. Some projects, to
    easily permit the web server to be able to write data to
    their group directory structure, have flagged files and/or
    directories as world writable (i.e. ANYONE can write to
    these files). Files and directories which are world
    writable are at a significant risk; ANY user may modify
    these files, ANY user may remove these files.

    Earlier this week, a user of project shell or project web
    services, either maliciously or accidentally, did just that
    -- modified the contents of all world writable files. Any
    issues your project has experienced are directly as result
    of these permissions choices; each project hosted on
    SourceForge.net is responsible for its own content.

    HOW DID THIS HAPPEN?

    A number of projects, including yours, did not understand
    the security implications of their actions. You should
    always maintain proper UNIX security precautions. World
    writable files are a bad idea. Your project should consider
    its options and move forward from this point.

    HOW CAN I GET MY DATA BACK?

    Content hosted on SourceForge.net is the sole responsibility
    of the project hosting that content. SourceForge.net has
    provided, through the SourceForge.net site documentation
    collection, documentation covering our data backup and
    restoration policies, including procedures and
    recommendations for use by SourceForge.net-hosted projects.
    This document is available at:
    https://sourceforge.net/docman/display_doc.php?docid=6840&group_id=1

    It is the policy of SourceForge.net that backups are
    performed on a regular basis. It is the policy of
    SourceForge.net that restoration of data from these backups
    is done ONLY in the case of catastrophic hardware failure or
    in the context of disaster recovery (i.e. an earthquake, or
    similar). SourceForge.net is making a one-time exception to
    this rule for your project and will provide you with a copy
    of your data from the backup immediately prior to this
    event. Please see the aforementioned documentation for
    further details. Please institute regular backups of your
    project data, per the instructions in that document.

    WHAT DO I NEED TO DO?

    1. At your request, group ownership of files and directories
    may be changed to match the user of the project web server.
    This will still provide only a casual level of security
    above world writable files, HOWEVER, it will mean that
    damage to your project files could only be caused by another
    script running on the project web server (essentially
    eliminating the risk for accidental damage). To request
    group ownership change for files or directories, submit a
    support request detailing the UNIX name for your project and
    the exact paths whose group ownership you wish to be
    modified.

    2. SourceForge.net has published procedural information and
    recommendations for backups your project should perform.
    Please implement backup procedures accordingly.

    3. Consider storing your data in your project MySQL
    database; this will further protect it from accidental (and
    most malicious) damage.

    4. Some project-specific web applications clearly require a
    higher level of security than SourceForge.net, a free
    service, is able to provide. If you determine your
    application to have such requirements, you should consider
    hosting that application using other facilities (such as
    those secure facilities which are commercially available).
    Your SourceForge.net project web space should not be used
    for hosting mission-critical, security-critical
    applications.

    WHERE IS MY DATA?

    As stated, we are treating this as a one-time exception to
    our backup policy. No further on-demand data restoration
    will occur from this point forward. It is your
    responsibility to implement proper backups for your project
    and to use those backups should you choose not to implement
    more strict security precautions for your data. A complete
    tarball of your project group directory structure has been
    placed at the top-level of your project group directory
    structure.

    EXECUTIVE SUMMARY

    1. Your project data was damaged as result of UNIX
    file/directory permissions selected by your project.
    2. It is the policy of SourceForge.net that we do not
    perform on-demand data restoration; we are making a ONE-TIME
    exception to these policies to ensure that this matter is
    handled in a timely and proper manner.
    3. Your project should implement the minimum data backup
    policies located at:
    https://sourceforge.net/docman/display_doc.php?docid=6840&group_id=1
    4. Your project should consider implementing increased
    security for your application data.
    5. A tarball containing your group data (restored from
    backup) has been placed in your project's group directory on
    shell.sourceforge.net.
    6. Questions, comments and concerns may be submitted to
    SourceForge.net by adding a comment to this support request;
    alternately, please e-mail staff@sourceforge.net with
    subject 'Response to 2001-10 Data Restoration Event'.

    Thank you,

    Jacob Moorman
    Quality of Service Manager, SourceForge.net

     
  • Jacob Moorman
    Jacob Moorman
    2001-10-23

    • priority: 8 --> 5
    • status: open --> closed
     
  • Todd Kover
    Todd Kover
    2001-10-28

    Logged In: YES
    user_id=9523

    The tarball disappeared before we were able to get it.

    Presumably, this is because our group directory is owned
    by nobody (something we can't change) and someone ran
    something that did removal inside the web server.

    Could we get the tarball put somewhere other people can't
    delete it, and get our web area chown'd such that nobody
    doesn't own it?

    thanks,
    -Todd

     
  • Todd Kover
    Todd Kover
    2001-10-28

    • status: closed --> open
     
  • Jacob Moorman
    Jacob Moorman
    2001-10-29

    • priority: 5 --> 8
     
  • Jacob Moorman
    Jacob Moorman
    2001-10-29

    Logged In: YES
    user_id=152443

    Greetings,

    The ownership of the amanda project group directory has been
    created. The tarball containing restored data has been
    regenerated and has been placed within this directory.
    Should you have further questions or concerns regarding this
    matter, please re-open this support request and add a
    comment.

    Thank you,

    Jacob Moorman
    Quality of Service Manager, SourceForge.net

     
  • Jacob Moorman
    Jacob Moorman
    2001-10-29

    • priority: 8 --> 5
    • status: open --> closed