[15286] in bugtraq
Re: BRU Vulnerability
daemon@ATHENA.MIT.EDU (Jeremy Rauch)
Sat Jun 10 02:45:26 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <20000608140526.A24066@securityfocus.com>
Date: Thu, 8 Jun 2000 14:05:26 -0700
Reply-To: Jeremy Rauch <jrauch@SECURITYFOCUS.COM>
From: Jeremy Rauch <jrauch@SECURITYFOCUS.COM>
X-To: Gavrie Philipson <gavrie@NETMOR.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <393F3D20.BB89F298@netmor.com>; from gavrie@NETMOR.COM on Thu,
Jun 08, 2000 at 09:28:48AM +0300
On Thu, Jun 08, 2000 at 09:28:48AM +0300, Gavrie Philipson wrote:
> root wrote:
> > BRU backup software Vulnerability:
> >
> > Description:
> > You can change the log file BRU uses by changing the
> > BRUEXECLOG environment variable. Since bru is setuid
> > root you can append to any file on the system.
>
> Why, am I wondering, would a sane person install BRU with setuid
> permissions?
> That's like installing tar with setuid permissions and wondering about
> overwritten files.
>
> On my systems, BRU words fine without any setuid/setgid perms.
By default, BRU is installed setuid root. If it isn't, and is run by a
non-root user, it complains:
bru: [W171] warning - BRU must be owned by root and have suid bit set
Many (most) users who install BRU probably never think to check if its
installed setuid. Should it be? Probably not, but it is a very real
vulnerability under a default install.
-j
