Comments in-line below *********** REPLY SEPARATOR *********** On 11/1/99 at 6:04 PM Brock Tellier wrote: >On my system (FreeBSD 3.3-RELEASE + amanda-2.4.1 package included on CD): > >-rwsr-xr-x root/wheel > >And thus ANY user, not just amanda/bin/operator can exploit runtar. >Obviously, from the replies I've recieved, this is an error in the package >installation, but I assure you that it was entierly automated by >/stand/sysinstall and not fooled with by me. As the amanda distribution, as obtained via ftp://ftp.amanda.org/pub/amanda, is not AFAIK available in a form that can be installed via /stand/sysinstall then someone (or some organisation) created a package in this format for installation from the CD. The problems mentioned originally seem to me, to be in the way this package was created. > >"Properly installed" is an interesting phrase. If by "properly" you mean "not >mucking around with the default permissions", than I did exactly that. My >installation of FreeBSD 3.3-RELEASE was about 3 days old and I had just >installed the Amanda-2.4.1 package before starting my testing. Perhaps it is >reasonable for everyone to check the permissions of every suid program (I >certianly do), but, of course, this doesn't always happen. In any case, I >don't *think* this is an installation error on my part and I will try >installing again to see if I come up with the same permissions. One >interesting point is that some of amanda's other suid programs such as >"killprg" and "rundump" have the correct rwsr-x--- root/operator permissions >on my system. I would like some Bugtraq subscribers to try and install this >package on the same configuration I have and see what they get. > My take on what "properly installed" means is that the package was installed as per the instructions provided with the source and on the amanda web site. ie ./configure --with-user xxx --with-group yyy <other options> make su make install The makefile in the client_src directory of the distribution contains the lines for the installation of runtar (and some other executables) @list="<snip> $(libexecdir)/runtar"; \ for p in $$list; do \ if echo "$(sbin_SCRIPTS) $(libexec_PROGRAMS) $(libexec_SCRIPTS)" | grep `basename $$p` >/dev/null 2>&1; then \ pa=$(DESTDIR)`echo $$p|sed '$(transform)'`; \ echo chown root $$pa; \ chown root $$pa; \ echo chmod u+s,o-rwx $$pa; \ chmod u+s,o-rwx $$pa; \ else true; \ fi; \ done I think it is fair to say that there is a problem with the amanda package as it is shipped on the FreeBSD 3.3 CD, rather than with the amanda backup system itself. It would be interesting to find out if any other "standard" os distributions have similar problems. Personally I would be very wary of entrusting the security of any of our systems to somebody else's packaging of a software package that by its nature requires unrestricted read access to all of my disks. Peter
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:09:24 PDT