[12410] in bugtraq
Re: [Re: Amanda multiple vendor local root compromises]
daemon@ATHENA.MIT.EDU (Alexandre Oliva)
Tue Nov 2 13:24:27 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <or4sf5cdoz.fsf@garnize.lsd.ic.unicamp.br>
Date: Tue, 2 Nov 1999 09:53:16 -0200
Reply-To: oliva@LSD.IC.UNICAMP.BR
From: Alexandre Oliva <oliva@LSD.IC.UNICAMP.BR>
X-To: Brock Tellier <btellier@USA.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Brock Tellier's message of "Mon, 1 Nov 1999 18:04:46 MST"
On Nov 1, 1999, Brock Tellier <btellier@USA.NET> wrote:
> On my system (FreeBSD 3.3-RELEASE + amanda-2.4.1 package included on CD):
> -rwsr-xr-x root/wheel
> And thus ANY user, not just amanda/bin/operator can exploit runtar.
> Obviously, from the replies I've recieved, this is an error in the package
> installation, but I assure you that it was entierly automated by
> /stand/sysinstall and not fooled with by me.
Amanda strongly advises against the use of pre-compiled packages,
because there are a couple of options hard-coded at build time, some
of which have to do with the user and group authorized to make use of
Amanda. Nevertheless, many vendors insist in releasing such
pre-compiled packages, often without documenting the options used to
configure the executables, and users get immensely confused when they
find some behavior that contradicts the default specified in the
documentation :-(
If you're a security concerned system administrator, you'd better
build Amanda yourself, so as to be sure to be able to customize all
the general- and security-related options to your own needs.
--
Alexandre Oliva http://www.ic.unicamp.br/~oliva IC-Unicamp, Bra[sz]il
oliva@{lsd.ic.unicamp.br,guarana.{org,com}} aoliva@{acm,computer}.org
oliva@{gnu.org,kaffe.org,{egcs,sourceware}.cygnus.com,samba.org}
** I may forward mail about projects to mailing lists; please use them
