Re: [Re: Amanda multiple vendor local root compromises]

[peter () TALARIAN COM (Peter Walker)]

Comments in-line below

*********** REPLY SEPARATOR  ***********

On 11/1/99 at 6:04 PM Brock Tellier wrote:

> On my system (FreeBSD 3.3-RELEASE + amanda-2.4.1 package included on CD):
>
> -rwsr-xr-x root/wheel
>
> And thus ANY user, not just amanda/bin/operator can exploit runtar.
> Obviously, from the replies I've recieved, this is an error in the package
> installation, but I assure you that it was entierly automated by
> /stand/sysinstall and not fooled with by me.

As the amanda distribution, as obtained via
ftp://ftp.amanda.org/pub/amanda, is not AFAIK available in a form that can
be installed via /stand/sysinstall then someone (or some organisation)
created a package in this format for installation from the CD. The problems
mentioned originally seem to me, to be in the way this package was created.

> "Properly installed" is an interesting phrase.  If by "properly" you mean
"not
> mucking around with the default permissions", than I did exactly that.  My
> installation of FreeBSD 3.3-RELEASE was about 3 days old and I had just
> installed the Amanda-2.4.1 package before starting my testing.  Perhaps it
is
> reasonable for everyone to check the permissions of every suid program (I
> certianly do), but, of course, this doesn't always happen. In any case, I
> don't *think* this is an installation error on my part and I will try
> installing again to see if I come up with the same permissions.  One
> interesting point is that some of amanda's other suid programs such as
> "killprg" and "rundump" have the correct rwsr-x--- root/operator
permissions
> on my system.  I would like some Bugtraq subscribers to try and install
this
> package on the same configuration I have and see what they get.

My take on what "properly installed" means is that the package was
installed as per the instructions provided with the source and on the
amanda web site.

ie

        ./configure --with-user xxx --with-group yyy <other options>
        make

        su
        make install

The makefile in the client_src directory of the distribution contains the
lines for the installation of runtar (and some other executables)

@list="<snip> $(libexecdir)/runtar"; \

for p in $$list; do \
        if echo "$(sbin_SCRIPTS) $(libexec_PROGRAMS) $(libexec_SCRIPTS)"
           | grep `basename $$p` >/dev/null 2>&1; then \

                pa=$(DESTDIR)`echo $$p|sed '$(transform)'`; \
                echo chown root $$pa; \
                chown root $$pa; \
                echo chmod u+s,o-rwx $$pa; \
                chmod u+s,o-rwx $$pa; \
        else true; \
        fi; \
done

I think it is fair to say that there is a problem with the amanda package
as it is shipped on the FreeBSD 3.3 CD, rather than with the amanda backup
system itself. It would be interesting to find out if any other "standard"
os distributions have similar problems.

Personally I would be very wary of entrusting the security of any of our
systems to somebody else's packaging of a software package that by its
nature requires unrestricted read access to all of my disks.

Peter