Date: Mon, 20 Dec 1999 01:27:08 -0500 (EST) From: beaupran@iro.umontreal.ca To: FreeBSD-gnats-submit@freebsd.org Subject: sparc/15577: Amanda 2.3.0 runtar program allow any user to run tar as root Message-ID: <19991220062708.B845B1B5C@anarcat.dyndns.org>
next in thread | raw e-mail | index | archive | help
>Number: 15577
>Category: sparc
>Synopsis: Amanda 2.3.0 runtar program allow any user to run tar as root
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: freebsd-sparc
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Sun Dec 19 22:30:02 PST 1999
>Closed-Date:
>Last-Modified:
>Originator: AnarCat
>Release: FreeBSD 3.3-STABLE i386
>Organization:
>Environment:
Any FreeBSD box with a recent Amanda 2.3.0 package or port normally inst
alled.
>Description:
As reported on BugTraq a while ago, Amanda 2.3.0 features a 'runtar'
program that is 4755 root.wheel. This program simply calls 'tar' with the given
arguments. This could be used to read or write any file on the system.
Others executables are setuid in the same directory and may also create problems
but I have not yet tested them through.
>How-To-Repeat:
Simple exploit:
/usr/local/libexec/amanda/runtar fc - /etc/master.passwd
cats /etc/master.passwd. This can obviously be done for whole file trees.
/usr/local/libexec/amanda/runtar fc /etc/master.passwd my_passwd_file
while conveniently overwrite /etc/master.passwd with a user-defined passwd file.
>Fix:
These are suggestions. I'm too unaware of the amanda system to be really
sure of what I'm doing here.
Runnning Amanda in a sandbox:
(1) Create a 'amanda' group
(2) make the /usr/local/libexec/amanda directory 510 root:amanda
(3) chown all files in /usr/local/libexec/amanda root:amanda and chmod them 4510
This way, amanda will be 'exploitable' only if the 'amanda' group is compromised
.
Concretely, I suggest adding a pkg/INSTALL file and modifying the
'post-install' target in the Makefile:
pkg/INSTALL:
---8<------8<--- CUT HERE ---8<------8<---
#! /bin/sh
echo -n "Adding necessary groups and modifying permissions on "
echo "${PREFIX}/libexec/amanda dir"
group=amanda
if pw groupshow "${group}" 2>/dev/null; then
echo "You already have a group \"${group}\", so I will use it."
else
echo "You need a group \"${group}\"."
if yesno "Would you like me to create it" y; then
pw groupadd ${group} -h - || exit
echo "Done."
else
echo "Please create it, and try again."
exit 1
fi
fi
echo "Modifying permissions on ${PREFIX}/libexec/amanda"
chown root:amanda ${PREFIX}/libexec/amanda
chmod 510 ${PREFIX}/libexec/amanda
chown root:amanda ${PREFIX}/libexec/amanda/*
chmod 4550 ${PREFIX}/libexec/amanda/*
---8<------8<--- CUT HERE ---8<------8<---
Makefile diff:
---8<------8<--- CUT HERE ---8<------8<---
*** Makefile.orig Mon Dec 20 01:20:44 1999
--- Makefile Mon Dec 20 01:21:11 1999
***************
*** 22,26 ****
--- 22,28 ----
post-install:
${MKDIR} ${PREFIX}/share/examples/amanda
${CP} -R ${WRKSRC}/example/* ${PREFIX}/share/examples/amanda
+ @PREFIX=${PREFIX} ${SH} ${PKGDIR}/INSTALL
+
.include <bsd.port.mk>
---8<------8<--- CUT HERE ---8<------8<---
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-sparc" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19991220062708.B845B1B5C>