[12435] in bugtraq
Re: [Re: Amanda multiple vendor local root compromises]
daemon@ATHENA.MIT.EDU (Frank Crawford)
Thu Nov 4 12:14:38 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <9911041042.ZM651808@kent.ansto.gov.au>
Date: Thu, 4 Nov 1999 10:42:48 +1100
Reply-To: frank@ansto.gov.au
From: Frank Crawford <frank@KENT.ANSTO.GOV.AU>
X-To: Robert Watson <robert+freebsd@cyrus.watson.org>,
BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Robert Watson <robert@cyrus.watson.org> "Re: [Re: Amanda multiple
vendor local root compromises]" (Nov 2, 1:43pm)
On Nov 2, 1:43pm, Robert Watson wrote:
> Subject: Re: [Re: Amanda multiple vendor local root compromises]
...
> It should also be pointed out that the symlink bug described in the
> original post seems to be a bug in Amanda that is not platform-specific --
> I haven't seen any further comment on that, only on the package
> installation. Has anyone verified that the amanda.debug file is created
> in such a way that a) it has a predictable name, and b) it follows
> symlinks? Really, it should probably go in /var/run (or equiv directory
> on whatever OS), should be created using O_CREAT and O_EXCL, or should be
> created using mktemp. Probably the first option is best.
I'll make a comment on that. On our systems all the amanda temp files are now
created in a directory /tmp/amanda, which has access only to the amanda user
(i.e. 700). This is for amanda ver 2.4.1p1, and was compiled locally
(unfortunately, not by me, so I don't know if there were any special options).
I know that previous version did create such files in /tmp.
Frank
--
Frank Crawford Email: frank@ansto.gov.au Postal: PMB 1
Site Systems Manager Phone: +61 2 9717 3015 Menai NSW 2234
ANSTO Fax: +61 2 9717 9273 Australia
PGP Fingerprint: (8BB1C821) 06 4F 35 82 1D D6 0E 56 9F AB B8 F7 67 AF 1A 9D
