From spidey@anarcat.dyndns.org  Sun Dec 19 22:27:12 1999
Return-Path: <spidey@anarcat.dyndns.org>
Received: from anarcat.dyndns.org (phobos.IRO.UMontreal.CA [132.204.20.20])
	by hub.freebsd.org (Postfix) with ESMTP id A76F3151A3
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 19 Dec 1999 22:27:10 -0800 (PST)
	(envelope-from spidey@anarcat.dyndns.org)
Received: by anarcat.dyndns.org (Postfix, from userid 1000)
	id B845B1B5C; Mon, 20 Dec 1999 01:27:08 -0500 (EST)
Message-Id: <19991220062708.B845B1B5C@anarcat.dyndns.org>
Date: Mon, 20 Dec 1999 01:27:08 -0500 (EST)
From: beaupran@iro.umontreal.ca
Sender: spidey@anarcat.dyndns.org
Reply-To: beaupran@iro.umontreal.ca
To: FreeBSD-gnats-submit@freebsd.org
Subject: Amanda 2.3.0 runtar program allow any user to run tar as root
X-Send-Pr-Version: 3.2

>Number:         15577
>Category:       ports
>Synopsis:       Amanda 2.3.0 runtar program allow any user to run tar as root
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    steve
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Sun Dec 19 22:30:02 PST 1999
>Closed-Date:    Tue Dec 28 23:13:49 PST 1999
>Last-Modified:  Tue Dec 28 23:14:02 PST 1999
>Originator:     AnarCat
>Release:        FreeBSD 3.3-STABLE i386
>Organization:
>Environment:

        Any FreeBSD box with a recent Amanda 2.3.0 package or port normally inst
alled.

>Description:

        As reported on BugTraq a while ago, Amanda 2.3.0 features a 'runtar' 
program that is 4755 root.wheel. This program simply calls 'tar' with the given
arguments. This could be used to read or write any file on the system. 

Others executables are setuid in the same directory and may also create problems
but I have not yet tested them through. 

>How-To-Repeat:

        Simple exploit:

/usr/local/libexec/amanda/runtar fc - /etc/master.passwd               

cats /etc/master.passwd. This can obviously be done for whole file trees. 
 
/usr/local/libexec/amanda/runtar fc /etc/master.passwd my_passwd_file

while conveniently overwrite /etc/master.passwd with a user-defined passwd file.

>Fix:
	
        These are suggestions. I'm too unaware of the amanda system to be really
sure of what I'm doing here. 

Runnning Amanda in a sandbox:
(1) Create a 'amanda' group  
(2) make the /usr/local/libexec/amanda directory 510 root:amanda
(3) chown all files in /usr/local/libexec/amanda root:amanda and chmod them 4510
    
This way, amanda will be 'exploitable' only if the 'amanda' group is compromised
.

Concretely, I suggest adding a pkg/INSTALL file and modifying the
'post-install' target in the Makefile:

pkg/INSTALL:
---8<------8<--- CUT HERE ---8<------8<---
#! /bin/sh
echo -n "Adding necessary groups and modifying permissions on "
echo "${PREFIX}/libexec/amanda dir" 

group=amanda

if pw groupshow "${group}" 2>/dev/null; then
    echo "You already have a group \"${group}\", so I will use it."
else
    echo "You need a group \"${group}\"."
    if yesno "Would you like me to create it" y; then
        pw groupadd ${group} -h - || exit
        echo "Done."
    else
        echo "Please create it, and try again."
        exit 1
    fi
fi

echo "Modifying permissions on ${PREFIX}/libexec/amanda"
chown root:amanda ${PREFIX}/libexec/amanda
chmod 510 ${PREFIX}/libexec/amanda
chown root:amanda ${PREFIX}/libexec/amanda/*
chmod 4550 ${PREFIX}/libexec/amanda/*
---8<------8<--- CUT HERE ---8<------8<---

Makefile diff:
---8<------8<--- CUT HERE ---8<------8<---
*** Makefile.orig       Mon Dec 20 01:20:44 1999
--- Makefile    Mon Dec 20 01:21:11 1999
***************
*** 22,26 ****
--- 22,28 ----
  post-install:
        ${MKDIR} ${PREFIX}/share/examples/amanda
        ${CP} -R ${WRKSRC}/example/* ${PREFIX}/share/examples/amanda
+       @PREFIX=${PREFIX} ${SH} ${PKGDIR}/INSTALL
+ 
  
  .include <bsd.port.mk>
---8<------8<--- CUT HERE ---8<------8<---

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-sparc->freebsd-ports 
Responsible-Changed-By: phantom 
Responsible-Changed-When: Mon Dec 20 07:04:02 PST 1999 
Responsible-Changed-Why:  
Misfiled PR 
Responsible-Changed-From-To: freebsd-ports->steve 
Responsible-Changed-By: steve 
Responsible-Changed-When: Tue Dec 28 15:36:44 PST 1999 
Responsible-Changed-Why:  
This needs some tweaks before it is commit-ready, but I'm working on it. 
State-Changed-From-To: open->closed 
State-Changed-By: steve 
State-Changed-When: Tue Dec 28 23:13:49 PST 1999 
State-Changed-Why:  
Committed, thanks! 
>Unformatted:
