Bug 15578 - Amanda 2.3.0 runtar program allow any user to run tar as root
Summary: Amanda 2.3.0 runtar program allow any user to run tar as root
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: freebsd-ports (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 1999-12-20 07:00 UTC by Anarcat
Modified: 2011-05-19 20:50 UTC (History)
0 users

See Also:


Attachments
file.diff (393 bytes, patch)
1999-12-20 07:00 UTC, Anarcat
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Anarcat 1999-12-20 07:00:01 UTC
[Sorry. This is a resend. The first got through as sparc/15577.
Horrible typo. I don't know how to modify this apart from sending this
one. ]

        As reported on BugTraq a while ago, Amanda 2.3.0 features a 'runtar' 
program that is 4755 root.wheel. This program simply calls 'tar' with the given
arguments. This could be used to read or write any file on the system. 

Others executables are setuid in the same directory and may also create problems
but I have not yet tested them through.

Fix: These are suggestions. I'm too unaware of the amanda system to be really
sure of what I'm doing here. 

Runnning Amanda in a sandbox:
(1) Create a 'amanda' group  
(2) make the /usr/local/libexec/amanda directory 510 root:amanda
(3) chown all files in /usr/local/libexec/amanda root:amanda and chmod them 4510
    
This way, amanda will be 'exploitable' only if the 'amanda' group is compromised
.

Concretely, I suggest adding a pkg/INSTALL file and modifying the
'post-install' target in the Makefile:

pkg/INSTALL:
---8<------8<--- CUT HERE ---8<------8<---
#! /bin/sh
echo -n "Adding necessary groups and modifying permissions on "
echo "${PREFIX}/libexec/amanda dir" 

group=amanda

if pw groupshow "${group}" 2>/dev/null; then
    echo "You already have a group \"${group}\", so I will use it."
else
    echo "You need a group \"${group}\"."
    if yesno "Would you like me to create it" y; then
        pw groupadd ${group} -h - || exit
        echo "Done."
    else
        echo "Please create it, and try again."
        exit 1
    fi
fi

echo "Modifying permissions on ${PREFIX}/libexec/amanda"
chown root:amanda ${PREFIX}/libexec/amanda
chmod 510 ${PREFIX}/libexec/amanda
chown root:amanda ${PREFIX}/libexec/amanda/*
chmod 4550 ${PREFIX}/libexec/amanda/*
---8<------8<--- CUT HERE ---8<------8<---

Makefile diff:
---8<------8<--- CUT HERE ---8<------8<---
How-To-Repeat: 
        Simple exploit:

/usr/local/libexec/amanda/runtar fc - /etc/master.passwd               

cats /etc/master.passwd. This can obviously be done for whole file trees. 
 
/usr/local/libexec/amanda/runtar fc /etc/master.passwd my_passwd_file

while conveniently overwrite /etc/master.passwd with a user-defined passwd file.
Comment 1 Chris D.Faulhaber freebsd_committer freebsd_triage 1999-12-21 13:05:46 UTC
State Changed
From-To: open->closed

Duplicate of ports/15577. 

Comment 2 dfilter service freebsd_committer freebsd_triage 2011-05-19 20:41:31 UTC
sylvio      2011-05-19 19:41:17 UTC

  FreeBSD ports repository

  Modified files:
    databases/rrdtool    Makefile 
  Added files:
    databases/rrdtool/files rrdcached.in 
  Log:
  - Add rrdcached daemon
  - Add license
  
  PR:             ports/15578
  Submitted by:   falz <me@falz.net>
  
  Revision  Changes    Path
  1.100     +3 -0      ports/databases/rrdtool/Makefile
  1.1       +31 -0     ports/databases/rrdtool/files/rrdcached.in (new)
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"