Re: [Re: Amanda multiple vendor local root compromises]

[robert () CYRUS WATSON ORG (Robert Watson)]

On Mon, 1 Nov 1999, Peter Walker wrote:

> I think it is fair to say that there is a problem with the amanda package
> as it is shipped on the FreeBSD 3.3 CD, rather than with the amanda backup
> system itself. It would be interesting to find out if any other "standard"
> os distributions have similar problems.
>
> Personally I would be very wary of entrusting the security of any of our
> systems to somebody else's packaging of a software package that by its
> nature requires unrestricted read access to all of my disks.

On the other hand, if you don't trust your OS with the contents of your
disk, you're probably not going to install the OS.  There is an equally
strong argument that you should trust your OS vendor to adapt generally
available packages for the local OS environment--often software developers
write their software with a particular security architecture in mind (say,
Linux or Solaris) which isn't quite the same as the local system (say,
OpenBSD or FreeBSD).  Installing SSH without vendor patches can often be
a problem, as pointed out with the recent chflags-related bugs (where the
SSH authors assumed that certain operations would always succeed).  OS
adaptation places some of the responsibility for security verification on
the OS vendor or package developer, which seems appropriate, given that
the OS vendor probably understands the OS best.

That said, it's probably also best if the OS vendor submits patches back
to the software developer, and that the software developer incorporates
the patches.  There have been a number of cases where the FreeBSD
community has failed to submit patches on software back to the developer,
so the developer never knew that these changes were required on FreeBSD.
There have also been numerous cases where the changes *have* been
submitted back, but have been ignored by the vendor.  I don't know that
Amanda falls into either case, but it is something to consider when
judging the merit of even having a OS-specific package system :-).

It should also be pointed out that the symlink bug described in the
original post seems to be a bug in Amanda that is not platform-specific --
I haven't seen any further comment on that, only on the package
installation.  Has anyone verified that the amanda.debug file is created
in such a way that a) it has a predictable name, and b) it follows
symlinks?  Really, it should probably go in /var/run (or equiv directory
on whatever OS), should be created using O_CREAT and O_EXCL, or should be
created using mktemp.  Probably the first option is best.

  Robert N M Watson

robert () fledge watson org              http://www.watson.org/~robert/
PGP key fingerprint: AF B5 5F FF A6 4A 79 37  ED 5F 55 E9 58 04 6A B1
TIS Labs at Network Associates, Safeport Network Services