Bugtraq mailing list archives
Re: [Re: Amanda multiple vendor local root compromises]
From: bmah () CA SANDIA GOV (Bruce A. Mah)
Date: Tue, 2 Nov 1999 08:15:13 -0800
If memory serves me right, Alexandre Oliva wrote:
On Nov 1, 1999, Brock Tellier <btellier () USA NET> wrote:On my system (FreeBSD 3.3-RELEASE + amanda-2.4.1 package included on CD):-rwsr-xr-x root/wheelAnd thus ANY user, not just amanda/bin/operator can exploit runtar. Obviously, from the replies I've recieved, this is an error in the package installation, but I assure you that it was entierly automated by /stand/sysinstall and not fooled with by me.
Hmmm. Just for kicks I deleted my amanda installation and used sysinstall to install the package from the 3.3-RELEASE CD-ROM (on a machine running FreeBSD 3.3-RELEASE + KAME 19991018 snapshot): roosevelt:amanda% pwd /usr/local/libexec/amanda roosevelt:amanda% ls -ls rundump runtar 4 -r-sr-x--- 1 root operator 3196 Sep 11 04:54 rundump 4 -r-sr-x--- 1 root operator 4076 Sep 11 04:54 runtar I'm not saying the original poster didn't see what he thought he saw, but I don't think the blame for this can be laid on the package installation or sysinstall either.
Amanda strongly advises against the use of pre-compiled packages, because there are a couple of options hard-coded at build time, some of which have to do with the user and group authorized to make use of Amanda. Nevertheless, many vendors insist in releasing such pre-compiled packages, often without documenting the options used to configure the executables, and users get immensely confused when they find some behavior that contradicts the default specified in the documentation :-(
In the case of FreeBSD's ports collection (and packages generated from it), the exact parameters used to configure amanda can be found in: /usr/ports/misc/amanda24/Makefile
If you're a security concerned system administrator, you'd better build Amanda yourself, so as to be sure to be able to customize all the general- and security-related options to your own needs.
Yes. (Or, alternatively, build using something like the FreeBSD ports collection to gain some package management features, but verify the configure- and build-time options before installing, which is what I've been doing.) Cheers, Bruce. <!-- attachment="bin0a15443" --> <HR> <UL> <LI>application/pgp-signature attachment: stored </UL>
Current thread:
- Re: [Re: Amanda multiple vendor local root compromises] Brock Tellier (Nov 01)
- Re: [Re: Amanda multiple vendor local root compromises] Peter Walker (Nov 01)
- Re: [Re: Amanda multiple vendor local root compromises] Robert Watson (Nov 02)
- [debian] New version of nis released Aleph One (Nov 02)
- RFP9907: You, your servers, RDS, and thousands of script kiddies .rain.forest.puppy. (Nov 03)
- UnixWare 7's dtappgather Elias Levy (Nov 03)
- NeoPlanet Saves all emails in Plain text James J. Capone (Nov 03)
- hylafax-4.0.2 local exploit Tellier, Brock (Nov 03)
- IE 5.0 vulnerabilities using HTTP redirection Georgi Guninski (Nov 04)
- <Possible follow-ups>
- Re: [Re: Amanda multiple vendor local root compromises] Alexandre Oliva (Nov 02)
- Re: [Re: Amanda multiple vendor local root compromises] Bruce A. Mah (Nov 02)
- Re: [Re: Amanda multiple vendor local root compromises] Frank Crawford (Nov 03)
- Re: [Re: Amanda multiple vendor local root compromises] Alexandre Oliva (Nov 03)
- Re: [Re: Amanda multiple vendor local root compromises] Peter Walker (Nov 01)