Originally created by: thoger
Amanda backup user is able to overwrite arbitrary files or created new files in arbitrary locations via setuid-root tools. One example of how to write to arbitrary file is via the runtar
tool:
$ /usr/lib64/amanda/runtar NOCONFIG tar --create --file /etc/shadow /files/to/archive
This makes it possible for for the user to escalate their privileges. Certain files, such as /etc/shadow
used in the example above, or files under /etc/cron.d/
, are parsed (at least on Linux) via fairly permissive parsers that are happy to skip over unknown data and continue searching for valid records, hence an unexpected file format does not prevent applications form using certain parts of those files.
AFAICT, the amanda backup user is not considered root-equivalent. For example, the default setting (restore_by_amanda_user
option in the amanda-security.conf
file) prevents the user from doing restore, and hence trivially overwrite arbitrary system file with content of chosen by the backup user. Also fixes preventing arbitrary code execution via one of the setuid-root tools (CVE-2016-10729 / 2ba9a5fb84, CVE-2016-10730 / 4bf5b9b356, or 71edf8dda6) were considered security.
I do not know if this is reasonably fixable, or if this means that the backup user needs to be considered fully trusted.
Originally posted by: chassell
Looking into a way to prevent this.