[Sorry. This is a resend. The first got through as sparc/15577. Horrible typo. I don't know how to modify this apart from sending this one. ] As reported on BugTraq a while ago, Amanda 2.3.0 features a 'runtar' program that is 4755 root.wheel. This program simply calls 'tar' with the given arguments. This could be used to read or write any file on the system. Others executables are setuid in the same directory and may also create problems but I have not yet tested them through. Fix: These are suggestions. I'm too unaware of the amanda system to be really sure of what I'm doing here. Runnning Amanda in a sandbox: (1) Create a 'amanda' group (2) make the /usr/local/libexec/amanda directory 510 root:amanda (3) chown all files in /usr/local/libexec/amanda root:amanda and chmod them 4510 This way, amanda will be 'exploitable' only if the 'amanda' group is compromised . Concretely, I suggest adding a pkg/INSTALL file and modifying the 'post-install' target in the Makefile: pkg/INSTALL: ---8<------8<--- CUT HERE ---8<------8<--- #! /bin/sh echo -n "Adding necessary groups and modifying permissions on " echo "${PREFIX}/libexec/amanda dir" group=amanda if pw groupshow "${group}" 2>/dev/null; then echo "You already have a group \"${group}\", so I will use it." else echo "You need a group \"${group}\"." if yesno "Would you like me to create it" y; then pw groupadd ${group} -h - || exit echo "Done." else echo "Please create it, and try again." exit 1 fi fi echo "Modifying permissions on ${PREFIX}/libexec/amanda" chown root:amanda ${PREFIX}/libexec/amanda chmod 510 ${PREFIX}/libexec/amanda chown root:amanda ${PREFIX}/libexec/amanda/* chmod 4550 ${PREFIX}/libexec/amanda/* ---8<------8<--- CUT HERE ---8<------8<--- Makefile diff: ---8<------8<--- CUT HERE ---8<------8<--- How-To-Repeat: Simple exploit: /usr/local/libexec/amanda/runtar fc - /etc/master.passwd cats /etc/master.passwd. This can obviously be done for whole file trees. /usr/local/libexec/amanda/runtar fc /etc/master.passwd my_passwd_file while conveniently overwrite /etc/master.passwd with a user-defined passwd file.
State Changed From-To: open->closed Duplicate of ports/15577.
sylvio 2011-05-19 19:41:17 UTC FreeBSD ports repository Modified files: databases/rrdtool Makefile Added files: databases/rrdtool/files rrdcached.in Log: - Add rrdcached daemon - Add license PR: ports/15578 Submitted by: falz <me@falz.net> Revision Changes Path 1.100 +3 -0 ports/databases/rrdtool/Makefile 1.1 +31 -0 ports/databases/rrdtool/files/rrdcached.in (new) _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"