#163 Backup user can overwrite arbitary files

[Anonymous]

Originally created by: thoger

Amanda backup user is able to overwrite arbitrary files or created new files in arbitrary locations via setuid-root tools. One example of how to write to arbitrary file is via the runtar tool:

$ /usr/lib64/amanda/runtar NOCONFIG tar --create --file /etc/shadow /files/to/archive

This makes it possible for for the user to escalate their privileges. Certain files, such as /etc/shadow used in the example above, or files under /etc/cron.d/, are parsed (at least on Linux) via fairly permissive parsers that are happy to skip over unknown data and continue searching for valid records, hence an unexpected file format does not prevent applications form using certain parts of those files.

AFAICT, the amanda backup user is not considered root-equivalent. For example, the default setting (restore_by_amanda_user option in the amanda-security.conf file) prevents the user from doing restore, and hence trivially overwrite arbitrary system file with content of chosen by the backup user. Also fixes preventing arbitrary code execution via one of the setuid-root tools (CVE-2016-10729 / 2ba9a5fb84, CVE-2016-10730 / 4bf5b9b356, or 71edf8dda6) were considered security.

I do not know if this is reasonably fixable, or if this means that the backup user needs to be considered fully trusted.

[Anonymous]

Originally posted by: chassell

Looking into a way to prevent this.