Re: Amanda multiple vendor local root compromises

[oliva () LSD IC UNICAMP BR (Alexandre Oliva)]

On Nov  1, 1999, Rob <capveg () CS UMD EDU> wrote:

> > Amanda's "runtar" program, suid root by default on FreeBSD 3.3, calls
> > /usr/bin/tar and passes all args given to runtar to this program. Tar is

> FWIW, runtar does not need to be suid root if the amanda user (defaults to
> user "amanda") has read access to the raw disks.

Nope, that's true in the case of `rundump', that is only enabled on
platforms whose dumb `dump' programs must be run as root.  But in the
case of `runtar', it needs root permissions because it runs tar and
`tar' reads files, not raw disk devices.

Most of the issues raised for `runtar' also apply to `rundump', except
that `rundump' can't usually be used to create files, only to back
them up.  But both programs are installed so that only the Amanda
group (specified at configure time) can run them, with chmod g+x/chgrp
permissions, and only the Amanda user (also specified at configure
time) can tell it to actually run tar (getuid() is checked at program
start-up).

--
Alexandre Oliva http://www.ic.unicamp.br/~oliva IC-Unicamp, Bra[sz]il
oliva@{lsd.ic.unicamp.br,guarana.{org,com}} aoliva@{acm,computer}.org
oliva@{gnu.org,kaffe.org,{egcs,sourceware}.cygnus.com,samba.org}
** I may forward mail about projects to mailing lists; please use them