COMMAND

    Solstice Backup/Legato Networker recover

SYSTEMS AFFECTED

    Solaris 2.x

PROBLEM

    Chris  Siebenmann  found  following.   The  'recover'  command  in
    Solstice Backup (Sun's relabeled version of Legato Networker) on a
    Unix machine  authorized to  perform restore  operations from  the
    backup server can be used to by a normal user to restore any  file
    accessible to the machine in a readable-to-them state (although it
    cannot be used to overwrite system files).

    This can be used to get your own copy of /etc/shadow for  password
    cracking purposes, or simply  to read other people's  confidential
    files.  Chris was told that there is no way to restrict a  machine
    so that it  can perform backups  but not recovers.  (Chris's group
    doesn't run the server, just some client machines.)

    Basic problem: the 'recover'  command is an ordinary  unprivileged
    program.  Although it attempts to perform permission checking,  it
    is trivial to fool it into thinking it is running as any arbitrary
    user,  including  root,  by  using  such methods as a LD_PRELOAD'd
    library that overrides appropriate functions.

    This has obvious implications for the server <-> client  protocol.
    Version information:  our server  is running  Solstice Backup  5.1
    with  Sun  patch  106408-5  (11Aug1999  patch) which is apparently
    equivalent to Legato Networker.5.1.Build.264.

SOLUTION

    Nothing yet.