Back In Time

deleting backups makes files world-readable

Bug #419774 reported by Jonathan Wiltshire on 2009-08-27

260

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Back In Time	Fix Released	Undecided	Unassigned
	backintime (Debian)	Fix Released	Unknown	debbugs #543785

Bug Description

From Debian bug #543785

From: Rémi Vanicat <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: Bug#543785: backintime-common: backintime make world readable file in
backup when it remove old backup
Message-ID: <20090826220449.13922.61422.reportbug@corbeau>
Reply-To: Rémi Vanicat <email address hidden>, <email address hidden>
X-Mailer: reportbug 4.6

Package: backintime-common
Version: 0.9.26-2
Severity: grave
Tags: security
Justification: user security hole

When asking backintime to remove an old backup, it first change mode
of all file of the backup to 777, allowing potentially every local
user to read and modify those before they are deleted (and this could take some
time).

Worst still, if a file is shared between several backup, as the file's
mode are also shared, it stay world readable and writable in those
other backup.

Note that one do not need to change the mode of a file to suppress it:
only the mode of the directory need to be changed. The other advantage
to change the mode only for directories is that they are not shared
between backup, so the changed mode don't stay for long period of
time.

Related branches

lp:~bratdaking/backintime/bug-419774

Merged into lp:backintime/1.0

Dan: Pending requested 2009-09-01

Jonathan Wiltshire (jwiltshire) on 2009-08-27

visibility:

private → public

Bug Watch Updater (bug-watch-updater) on 2009-08-27

Changed in backintime (Debian):
status:	Unknown → New

Bart de Koning (bratdaking) on 2009-09-01

Changed in backintime (Debian):
status:	New → Confirmed
Changed in backintime:
status:	New → Confirmed

Revision history for this message

Jonathan Wiltshire (jwiltshire) wrote on 2009-09-01:

Hi,

Since opening this bug the submitter has also sent this:

> 2009/8/27 Rémi Vanicat <email address hidden>:
>
> > When asking backintime to remove an old backup, it first change mode
> > of all file of the backup to 777, allowing potentially every local
> > user to read and modify those before they are deleted (and this could take some
> > time).
>
> Will looking at this bug, I found that applying this:
>
> --- common/snapshots.py~ 2009-08-24 23:11:27.000000000 +0200
> +++ common/snapshots.py 2009-08-28 09:48:57.000000000 +0200
> @@ -314,7 +314,7 @@
> return
>
> path = self.get_snapshot_path( snapshot_id )
> - cmd = "chmod -R a+rwx \"%s\"" % path
> + cmd = "find \"%s\" -type d -exec chmod u+wx {} \\;" % path
> self._execute( cmd )
> cmd = "rm -rfv \"%s\"" % path
> self._execute( cmd )
>
> to the snapshots.py file solve this problem but I also found others
> call to chmod -R a+rwx or to
> chmod a+w that should probably be investigated.

If you can fix this soon, it would be great, as the Debian bug is grave and needs fixing as soon as possible. If not, I'll implement a temporary patch and fix it properly later.

Cheers :)

Bart de Koning (bratdaking) on 2009-09-01

Changed in backintime:
status:	Confirmed → Fix Committed

Revision history for this message

Bart de Koning (bratdaking) wrote on 2009-09-01: Re: [Bug 419774] Re: deleting backups makes files world-readable

I was already having a look into this, but can you tell me whether hte line
is actually necessary, if you run backintime as root at least you can do
without the chmod, but when you are a normal user you probably need it...
Anyway I will submit the patch to be merged into the trunk. Thanks anyway!

I changed also line 577 into
self._execute( "find \"%s\" -type d -exec chmod u+wx {} \\;" %
new_snapshot_path ) #Debian patch
Was a similar matter...

Cheers,
Bart

2009/9/1 Jonathan Wiltshire <email address hidden>

> Hi,
>
> Since opening this bug the submitter has also sent this:
>
> > 2009/8/27 Rémi Vanicat <email address hidden>:
> >
> > > When asking backintime to remove an old backup, it first change mode
> > > of all file of the backup to 777, allowing potentially every local
> > > user to read and modify those before they are deleted (and this could
> take some
> > > time).
> >
> > Will looking at this bug, I found that applying this:
> >
> > --- common/snapshots.py~ 2009-08-24 23:11:27.000000000 +0200
> > +++ common/snapshots.py 2009-08-28 09:48:57.000000000 +0200
> > @@ -314,7 +314,7 @@
> > return
> >
> > path = self.get_snapshot_path( snapshot_id )
> > - cmd = "chmod -R a+rwx \"%s\"" % path
> > + cmd = "find \"%s\" -type d -exec chmod u+wx {} \\;" % path
> > self._execute( cmd )
> > cmd = "rm -rfv \"%s\"" % path
> > self._execute( cmd )
> >
> > to the snapshots.py file solve this problem but I also found others
> > call to chmod -R a+rwx or to
> > chmod a+w that should probably be investigated.
>
> If you can fix this soon, it would be great, as the Debian bug is grave
> and needs fixing as soon as possible. If not, I'll implement a temporary
> patch and fix it properly later.
>
> Cheers :)
>
> --
> deleting backups makes files world-readable
> https://bugs.launchpad.net/bugs/419774
> You received this bug notification because you are a direct subscriber
> of the bug.
>

I changed also line 577 into
            self._execute( "find \"%s\" -type d -exec chmod u+wx {} \\;" %
new_snapshot_path ) #Debian patch
Was a similar matter...

Cheers,
Bart

2009/9/1 Jonathan Wiltshire <debian@jwiltshire.org.uk>

> Hi,
>
> Since opening this bug the submitter has also sent this:
>
> > 2009/8/27 Rémi Vanicat <vanicat@debian.org>:
> >
> > > When asking backintime to remove an old backup, it first change mode
> > > of all file of the backup to 777, allowing potentially every local
> > > user to read and modify those before they are deleted (and this could
> take some
> > > time).
> >
> > Will looking at this bug, I found that applying this:
> >
> > --- common/snapshots.py~      2009-08-24 23:11:27.000000000 +0200
> > +++ common/snapshots.py       2009-08-28 09:48:57.000000000 +0200
> > @@ -314,7 +314,7 @@
> >                       return
> >
> >               path = self.get_snapshot_path( snapshot_id )
> > -             cmd = "chmod -R a+rwx \"%s\"" %  path
> > +             cmd = "find \"%s\" -type d -exec chmod u+wx {} \\;" % path
> >               self._execute( cmd )
> >               cmd = "rm -rfv \"%s\"" % path
> >               self._execute( cmd )
> >
> > to the snapshots.py file solve this problem but I also found others
> > call to chmod -R a+rwx or to
> > chmod a+w that should probably be investigated.
>
> If you can fix this soon, it would be great, as the Debian bug is grave
> and needs fixing as soon as possible. If not, I'll implement a temporary
> patch and fix it properly later.
>
> Cheers :)
>
> --
> deleting backups makes files world-readable
> https://bugs.launchpad.net/bugs/419774
> You received this bug notification because you are a direct subscriber
> of the bug.
>

Bug Watch Updater (bug-watch-updater) on 2009-10-07

Changed in backintime (Debian):
status:	Confirmed → Fix Released

Dan (danleweb) on 2010-09-12

Changed in backintime:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

debbugs #543785
[done grave security fixed-upstream] Edit

Bug watches keep track of this bug in other bug trackers.