The user "nobody" could create fake backup files with
and have them encrypted and eventually restored. Cause:
the backup programm chowns the backup file to nobody
before it encrypts them. See ipcopbkcfg.c:
---
/* Make sure web can overwrite */
snprintf (command, STRING_SIZE-1,
"/home/httpd/html/backup/%s.tar.gz", hostname);
chown(command, 99, 99);
/* encrypt archive */
snprintf (command, STRING_SIZE-1, "/usr/bin/openssl
des3 -e -salt
-in /home/httpd/html/backup/%s.tar.gz -out
/home/httpd/html/backup/%s.dat
-kfile %s/backup/backup.key", hostname, hostname,
CONFIG_ROOT);
if (safe_system (command)) {
fprintf (stderr, "Couldn't encrypt archive\n");
exit (ERR_ENCRYPT);
}
---
This might open a window of opportunity for nobody to
change the file. A tigtht loop copying his backup file
there might be enough. (did not check this though).
Fix: encrypt first, chown then (or better: delete
unencrypted backup files. See:
https://sourceforge.net/tracker/index.php?func=detail&aid=1344039&group_id=40604&atid=428516
Logged In: YES
user_id=691649
This is fixed in 1.4.10