Bug 15577
| Summary: | Amanda 2.3.0 runtar program allow any user to run tar as root | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Ports & Packages | Reporter: | Anarcat <beaupran> | ||||
| Component: | Individual Port(s) | Assignee: | Steve Price <steve> | ||||
| Status: | Closed FIXED | ||||||
| Severity: | Affects Only Me | ||||||
| Priority: | Normal | ||||||
| Version: | Latest | ||||||
| Hardware: | Any | ||||||
| OS: | Any | ||||||
| Attachments: |
|
||||||
Responsible Changed From-To: freebsd-sparc->freebsd-ports Misfiled PR Responsible Changed From-To: freebsd-ports->steve This needs some tweaks before it is commit-ready, but I'm working on it. State Changed From-To: open->closed Committed, thanks! |
As reported on BugTraq a while ago, Amanda 2.3.0 features a 'runtar' program that is 4755 root.wheel. This program simply calls 'tar' with the given arguments. This could be used to read or write any file on the system. Others executables are setuid in the same directory and may also create problems but I have not yet tested them through. Fix: These are suggestions. I'm too unaware of the amanda system to be really sure of what I'm doing here. Runnning Amanda in a sandbox: (1) Create a 'amanda' group (2) make the /usr/local/libexec/amanda directory 510 root:amanda (3) chown all files in /usr/local/libexec/amanda root:amanda and chmod them 4510 This way, amanda will be 'exploitable' only if the 'amanda' group is compromised . Concretely, I suggest adding a pkg/INSTALL file and modifying the 'post-install' target in the Makefile: pkg/INSTALL: ---8<------8<--- CUT HERE ---8<------8<--- #! /bin/sh echo -n "Adding necessary groups and modifying permissions on " echo "${PREFIX}/libexec/amanda dir" group=amanda if pw groupshow "${group}" 2>/dev/null; then echo "You already have a group \"${group}\", so I will use it." else echo "You need a group \"${group}\"." if yesno "Would you like me to create it" y; then pw groupadd ${group} -h - || exit echo "Done." else echo "Please create it, and try again." exit 1 fi fi echo "Modifying permissions on ${PREFIX}/libexec/amanda" chown root:amanda ${PREFIX}/libexec/amanda chmod 510 ${PREFIX}/libexec/amanda chown root:amanda ${PREFIX}/libexec/amanda/* chmod 4550 ${PREFIX}/libexec/amanda/* ---8<------8<--- CUT HERE ---8<------8<--- Makefile diff: ---8<------8<--- CUT HERE ---8<------8<--- How-To-Repeat: Simple exploit: /usr/local/libexec/amanda/runtar fc - /etc/master.passwd cats /etc/master.passwd. This can obviously be done for whole file trees. /usr/local/libexec/amanda/runtar fc /etc/master.passwd my_passwd_file while conveniently overwrite /etc/master.passwd with a user-defined passwd file.