TUCoPS :: Unix :: General :: bruperms.txt

BRU poor permissions 


Date: Sat, 8 Nov 1997 00:58:54 -0500
From: Kyle Amon <amonk@GNUTEC.COM>
To: BUGTRAQ@NETSPACE.ORG
Subject: xbru vulnerability

BRU (Backup and Recovery Utility) is a fairly commonly used commercial
UNIX backup program available from EST, Inc. (Enhanced Software Technologies).
They have a website at http://www.estinc.com and were instrumental in some
of the recent FTAPE driver improvements for Linux.  All in all it's a
great program, however they have added a new tcl/tk based GUI interface
which installs with inappropriate permissions.  Below is an abreviated
version of a conversation I recently had with them.

[me]
> I recently bought bru (full version) for Linux.  When xbru installs, it
> creates a /usr/local/lib/bru directory with mode 777.  Is this mode
> required for some reason?  Because, if not, it looks a little loose to me?

[est]
> Yes, at the present time it does need to be 777.  Bru does some work which
> requires that mode; however, I've turned this one over to our programming shop
> to look at a change to this in the future.  Thank you for the inquiry.

[me]
> Hmm.  Doesn't that seem like a bad idea?  What's to keep any of my users
> from mucking about in there?  Nothing.  And what about a tcl/tk proficient
> user?  Since xbru would be run as root more often than not, what's to keep
> them from adding some nasties to the source?  Nothing.  It looks like a
> pretty major security hole to me.

[est]
> I passed your message on to our engineering staff for future implementations
> and, about two minutes later, the senior member was in my office with concern
> written on his face :(
>
> It appears as though the program was NOT suppose to go out 777 -- rather
> 1777.  That little sticky bit of a difference provides for the security of
> ownership.  Thank you for bringing this to our attention.
>
> You can ma
836
ke the following change to your system as shown:
>
>        chmod 1777 /usr/local/lib/bru   (assuming root login)

- Kyle

Kyle Amon                     email: amonk@raleigh.ibm.com
Unix Systems Administrator    phone: (203) 486-3290
Security Specialist           pager: 1-800-759-8888 PIN 1616512
IBM Global Services                  or 1616512@skymail.com (240 char max)
                              email: amonk@gnutec.com
                              url:   http://www.gnutec.com/kyle
KeyID 1024/173D96C9
Fingerprint = 90 4F 0B D4 2D 37 E7 61  1A 31 7B F2 72 04 66 1A

Windows 95:  A 32-bit patch for a 16-bit GUI shell running on top of an
             8-bit operating system written for a 4-bit processor by a
             2-bit company who cannot stand 1 bit of competition.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH