--==_Exmh_644385786P Content-Type: text/plain; charset=us-ascii If memory serves me right, Alexandre Oliva wrote: > On Nov 1, 1999, Brock Tellier <btellierat_private> wrote: > > > On my system (FreeBSD 3.3-RELEASE + amanda-2.4.1 package included on CD): > > > -rwsr-xr-x root/wheel > > > And thus ANY user, not just amanda/bin/operator can exploit runtar. > > Obviously, from the replies I've recieved, this is an error in the package > > installation, but I assure you that it was entierly automated by > > /stand/sysinstall and not fooled with by me. Hmmm. Just for kicks I deleted my amanda installation and used sysinstall to install the package from the 3.3-RELEASE CD-ROM (on a machine running FreeBSD 3.3-RELEASE + KAME 19991018 snapshot): roosevelt:amanda% pwd /usr/local/libexec/amanda roosevelt:amanda% ls -ls rundump runtar 4 -r-sr-x--- 1 root operator 3196 Sep 11 04:54 rundump 4 -r-sr-x--- 1 root operator 4076 Sep 11 04:54 runtar I'm not saying the original poster didn't see what he thought he saw, but I don't think the blame for this can be laid on the package installation or sysinstall either. > Amanda strongly advises against the use of pre-compiled packages, > because there are a couple of options hard-coded at build time, some > of which have to do with the user and group authorized to make use of > Amanda. Nevertheless, many vendors insist in releasing such > pre-compiled packages, often without documenting the options used to > configure the executables, and users get immensely confused when they > find some behavior that contradicts the default specified in the > documentation :-( In the case of FreeBSD's ports collection (and packages generated from it), the exact parameters used to configure amanda can be found in: /usr/ports/misc/amanda24/Makefile > If you're a security concerned system administrator, you'd better > build Amanda yourself, so as to be sure to be able to customize all > the general- and security-related options to your own needs. Yes. (Or, alternatively, build using something like the FreeBSD ports collection to gain some package management features, but verify the configure- and build-time options before installing, which is what I've been doing.) Cheers, Bruce. --==_Exmh_644385786P Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use MessageID: xP3p2YK5gC0Mj8QYND9W72nr4nipOqO9 iQA/AwUBOB8OEdjKMXFboFLDEQKGIQCcC5Fy/cx5MDGTpkZ0yN7CXb6ImkMAoLqq u57sKJQkQW6TsRQA7A2wqSlt =HzfY -----END PGP SIGNATURE----- --==_Exmh_644385786P--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:09:26 PDT