[12408] in bugtraq
Re: [Re: Amanda multiple vendor local root compromises]
daemon@ATHENA.MIT.EDU (Bruce A. Mah)
Tue Nov 2 13:08:44 1999
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="==_Exmh_644385786P"; micalg=pgp-sha1;
protocol="application/pgp-signature"
Content-Transfer-Encoding: 7bit
Message-Id: <199911021615.IAA93505@nimitz.ca.sandia.gov>
Date: Tue, 2 Nov 1999 08:15:13 -0800
Reply-To: bmah@CA.Sandia.GOV
From: "Bruce A. Mah" <bmah@CA.SANDIA.GOV>
X-To: Alexandre Oliva <oliva@lsd.ic.unicamp.br>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Your message of "02 Nov 1999 09:53:16 -0200."
<or4sf5cdoz.fsf@garnize.lsd.ic.unicamp.br>
--==_Exmh_644385786P
Content-Type: text/plain; charset=us-ascii
If memory serves me right, Alexandre Oliva wrote:
> On Nov 1, 1999, Brock Tellier <btellier@USA.NET> wrote:
>
> > On my system (FreeBSD 3.3-RELEASE + amanda-2.4.1 package included on CD):
>
> > -rwsr-xr-x root/wheel
>
> > And thus ANY user, not just amanda/bin/operator can exploit runtar.
> > Obviously, from the replies I've recieved, this is an error in the package
> > installation, but I assure you that it was entierly automated by
> > /stand/sysinstall and not fooled with by me.
Hmmm. Just for kicks I deleted my amanda installation and used
sysinstall to install the package from the 3.3-RELEASE CD-ROM (on a
machine running FreeBSD 3.3-RELEASE + KAME 19991018 snapshot):
roosevelt:amanda% pwd
/usr/local/libexec/amanda
roosevelt:amanda% ls -ls rundump runtar
4 -r-sr-x--- 1 root operator 3196 Sep 11 04:54 rundump
4 -r-sr-x--- 1 root operator 4076 Sep 11 04:54 runtar
I'm not saying the original poster didn't see what he thought he saw,
but I don't think the blame for this can be laid on the package
installation or sysinstall either.
> Amanda strongly advises against the use of pre-compiled packages,
> because there are a couple of options hard-coded at build time, some
> of which have to do with the user and group authorized to make use of
> Amanda. Nevertheless, many vendors insist in releasing such
> pre-compiled packages, often without documenting the options used to
> configure the executables, and users get immensely confused when they
> find some behavior that contradicts the default specified in the
> documentation :-(
In the case of FreeBSD's ports collection (and packages generated from
it), the exact parameters used to configure amanda can be found in:
/usr/ports/misc/amanda24/Makefile
> If you're a security concerned system administrator, you'd better
> build Amanda yourself, so as to be sure to be able to customize all
> the general- and security-related options to your own needs.
Yes. (Or, alternatively, build using something like the FreeBSD ports
collection to gain some package management features, but verify the
configure- and build-time options before installing, which is what I've
been doing.)
Cheers,
Bruce.
--==_Exmh_644385786P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
MessageID: xP3p2YK5gC0Mj8QYND9W72nr4nipOqO9
iQA/AwUBOB8OEdjKMXFboFLDEQKGIQCcC5Fy/cx5MDGTpkZ0yN7CXb6ImkMAoLqq
u57sKJQkQW6TsRQA7A2wqSlt
=HzfY
-----END PGP SIGNATURE-----
--==_Exmh_644385786P--
