Re: Amanda multiple vendor local root compromises

[tobkin () SOFTWARE UMN EDU (Chris Tobkin)]

[...]
> DETAILS:
>
> Amanda's "runtar" program, suid root by default on FreeBSD 3.3, calls
> /usr/bin/tar and passes all args given to runtar to this program. Tar is
> thus run with root permissions and is vulnerable to all of the same
> attacks on suid programs that it would have if it were suid itself.

[...]
> WHO IS VULNERABLE:
> Anyone running a suid version of runtar should be suspicious.  I've not
> tested any other O.S.'s except FreeBSD 3.3, which includes amanda 2.3.0
> and 2.4.1 as "additional packages" on the install CD and tar-1.11.2.
[snip]

I doubt that this is OS specific in the installation, but all the installs
of amanda i've seen (and have running here) have runtar suid root, but
perm'd to 7450 (other can't exec it).  It may be part of the packages
bundled with FreeBSD.. All of our builds are local compilations from
source...  (In fact, all the suid binaries installed by a `make install`
are perm'd o-rwx  and have a gid of sys or other) -- All I have for
reference here are solaris and AIX machines.. can anyone else confirm?

// chris
tobkin () umn edu

*************************************************************************
Chris Tobkin                                               tobkin () umn edu
Java and Web Services - Academic and Distributed Computing Services - UMN
             ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
        "Nothing great was ever achieved without enthusiasm."
        - Ralph Waldo Emerson, poet, writer, and philosopher
*************************************************************************