tech-security: Re: [btellier@USA.NET: Amanda multiple vendor local root compromises]

Subject: Re: [btellier@USA.NET: Amanda multiple vendor local root compromises]
To: Manuel Bouyer <bouyer@antioche.lip6.fr>
From: Bill Sommerfeld <sommerfeld@orchard.arlington.ma.us>
List: tech-security
Date: 11/02/1999 08:24:25

  by redmail.netbsd.org with SMTP; 2 Nov 1999 13:24:40 -0000
	by orchard.arlington.ma.us (8.8.8/1.34) with ESMTP id NAA07899;
	Tue, 2 Nov 1999 13:24:25 GMT
Message-Id: <199911021324.NAA07899@orchard.arlington.ma.us>
To: Manuel Bouyer <bouyer@antioche.lip6.fr>
cc: tech-security@netbsd.org
Subject: Re: [btellier@USA.NET: Amanda multiple vendor local root compromises] 
In-Reply-To: Message from Manuel Bouyer <bouyer@antioche.lip6.fr> 
   of "Tue, 02 Nov 1999 14:19:01 +0100." <19991102141901.A19033@antioche.lip6.fr> 
Date: Tue, 02 Nov 1999 08:24:25 -0500
From: Bill Sommerfeld <sommerfeld@orchard.arlington.ma.us>

> Just FYI, amanda root-suid programs are only accessible to group 'operator'
> in the NetBSD package, so users have to be in group operator to be able to
> exploit this.

this is still a security hole...  operator is allowed to read anything
on the machine (to do backups), but not write..

					- Bill