Revision history [back]

click to hide/show revision 1
initial version

Thanks for the comments Jameer.

As known, the privileges functionally needed by the agent are only read privilege on the files/folders being backedup and write permission on Vembu's housekeeping data folders. So mandating the agent to be run as admin(super) user is violation of the cardinal security "Principle of least Privilege" (https://en.wikipedia.org/wiki/Principleofleast_privilege) . Running agent as root is a security vulnerability. Example of a potential risk: a malicious program/hacker exploiting this and getting other files out of the host via the agent since root has permission to read any file on the server. This is just one example and there could be many potential exploitations of this vulnerability. Moreover, Vembu backup works as a pull model. i.e. backup schedule is maintained on the external backup server & for backup, program running on backup server contacts the agent running on the database server and pulls the data via the agent. Consequently the agent needs to be up and listening 24x7 since it doesn't know when all the backup server machine program will request for data. Running 24x7 aggravates the security vulnerability of the agent that runs as root for production envs.

It is more than an year since we brought up this legitimate concern. We would appreciate if Vembu can expedite the testing and certification of scenario of running the Vembu backup agent as non-admin account. This would further enhance customer satisfaction & security compliance of your good product.

Thanks for the comments Jameer.

As known, the privileges functionally needed by the agent are only read privilege on the files/folders being backedup and write permission on Vembu's housekeeping data folders. So mandating the agent to be run as admin(super) user is violation of the cardinal security "Principle of least Privilege" (https://en.wikipedia.org/wiki/Principleofleast_privilege) . Running agent as root is a security vulnerability. Example of a potential risk: a malicious program/hacker exploiting this and getting other files out of the host via the agent since root superuser has permission to read any file on the server. This is just one example and there could be many potential exploitations of this vulnerability. Moreover, Vembu backup works as a pull model. i.e. backup schedule is maintained on the external backup server & for backup, program running on backup server contacts the agent running on the database server and pulls the data via the agent. Consequently the agent needs to be up and listening 24x7 since it doesn't know when all the backup server machine program will request for data. Running For production envs, running 24x7 aggravates the security vulnerability of the agent that runs as root for production envs.running as root.

It is more than an year since we brought up this legitimate concern. We would appreciate if Vembu can expedite the testing and certification of scenario of running the Vembu backup agent as non-admin account. We are using Ubuntu Linux 14.04; This would further enhance customer satisfaction & security compliance of your good product.

Copyright © Vembu Technologies 2020. All Rights Reserved.