Re: BRU Vulnerability

[felicity () KLUGE NET (Theo Van Dinter)]

On Thu, Jun 08, 2000 at 02:05:26PM -0700, Jeremy Rauch wrote:
> By default, BRU is installed setuid root.  If it isn't, and is run by a
> non-root user, it complains:
> bru: [W171] warning - BRU must be owned by root and have suid bit set

Clarification request:  Which version of BRU?  I got the RPM version of
BRU 2000 (v15 I believe) w/ a RedHat box set I bought one day:

> rpm -q BRU2000
BRU2000-15.0P-2
> rpm -V BRU2000
..?.....   /bin/bru
..?.....   /bru/bru
S.5....T c /etc/brutab
> ls -la /bin/bru
-rwx--x--x   1 root     root       157396 Dec 18  1997 /bin/bru

The "rpm -V" shows no permissions difference between installed and package,
and the /bin/bru program isn't setuid.  It does complain about being
non-setuid, but it works just the same without it.

> Many (most) users who install BRU probably never think to check if its
> installed setuid.  Should it be?  Probably not, but it is a very real
> vulnerability under a default install.

If you're worried about security, you should have done the standard

find / -perm +6000 -print

or the appropriate version thereof to find all of the setuid/gid programs on
your system.  Standard security practice.  If it has it but doesn't need it,
take it away.

--
Randomly Generated Tagline:
"Premature optimisation is the root of all evil." - Knuth