[15264] in bugtraq
Re: BRU Vulnerability
daemon@ATHENA.MIT.EDU (Gavrie Philipson)
Thu Jun 8 16:14:36 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <393F3D20.BB89F298@netmor.com>
Date: Thu, 8 Jun 2000 09:28:48 +0300
Reply-To: gavrie@NETMOR.COM
From: Gavrie Philipson <gavrie@NETMOR.COM>
X-To: root <comsec.admin@GTE.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
root wrote:
> BRU backup software Vulnerability:
>
> Description:
> You can change the log file BRU uses by changing the
> BRUEXECLOG environment variable. Since bru is setuid
> root you can append to any file on the system.
Why, am I wondering, would a sane person install BRU with setuid
permissions?
That's like installing tar with setuid permissions and wondering about
overwritten files.
On my systems, BRU words fine without any setuid/setgid perms.
Gavrie.
--
Gavrie Philipson
Netmor Applied Modeling Research Ltd.
