by redmail.netbsd.org with SMTP; 2 Nov 1999 13:55:08 -0000
	by chassiron.ensta.fr (8.8.8/8.8.5) id OAA03679;
	Tue, 2 Nov 1999 14:54:54 +0100 (MET)
Date: Tue, 2 Nov 1999 14:54:53 +0100
From: Manuel Bouyer <bouyer@antioche.lip6.fr>
To: Bill Sommerfeld <sommerfeld@orchard.arlington.ma.us>
Cc: tech-security@netbsd.org
Subject: Re: [btellier@USA.NET: Amanda multiple vendor local root compromises]
Message-ID: <19991102145453.A2926@antioche.lip6.fr>
References: <bouyer@antioche.lip6.fr> <199911021324.NAA07899@orchard.arlington.ma.us>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
In-Reply-To: <199911021324.NAA07899@orchard.arlington.ma.us>

On Tue, Nov 02, 1999 at 08:24:25AM -0500, Bill Sommerfeld wrote:
> > Just FYI, amanda root-suid programs are only accessible to group 'operator'
> > in the NetBSD package, so users have to be in group operator to be able to
> > exploit this.
> 
> this is still a security hole...  operator is allowed to read anything
> on the machine (to do backups), but not write..

Yes. The point is, it is not 'any local users', it is 'users in group
operator'.
I think the amanda team is working on this ...

For now, if you don't use tar for your backups you can remove the suid bit
from /usr/pkg/libexec/runtar.
I can see why rundump is suid root, as long as the user running amanda is in
group operator.
Once runtar and rundump are not suid root I think killpgrp doesn't
need to be root either. I removed the suid bits on one of my machines,
I'll let you know how it works after tonigth backup.