[原文]runtar in the Amanda backup system used in various UNIX operating systems executes tar with root privileges, which allows a user to overwrite or read arbitrary files by providing the target files to runtar.
This vulnerability was discovered and posted to the Bugtraq mailing list by Brock Tellier <email@example.com> on Sat, 30 Oct 1999.
FreeBSD FreeBSD 3.3
Amanda is a popular file backup system used by several free UNIX distributions. The version which ships with FreeBSD 3.3-RELEASE has been discovered to contain a permission vulnerability in the 'runtar' problem.
The 'runtar' program under Amanda is run SUID root and calls /usr/bin/tar. Due to the fact that 'runtar' is run as root and allows for user supplied data a malicious user can tar up files they should have no access to, or untar files over files which they should have no access to. For example, /etc/master.passwd could be overwritten with a new password file.
This problem also manifests itself in a second way. The problem here, is that /usr/bin/tar under FreeBSD has a buffer overflow in it. Normally this would not be a problem because FreeBSD ships tar as non-SUID root. However, runtar (Amanda's program which calls tar) is SUID root and passes user supplied arguments to the regular tar.
This allows malicious to send an overly long argument (with crafted shell code) to runtar and have it pass it to /usr/bin/tar which is now being executed as rot via runtar.
This vulnerability may very well be present in other UNIX distributions. This entry will be updated as more information becomes available.
The vulnerability is not as pressing under other platforms in hich Amanda runs since although runtar is SUID root is is normally only executable by group amanda is installed under (normally amanda, operator or bin). If someone has access to the amanda user id and group they already have access to the raw disks and can modify any files in the system.
Remove the executable bit on the runtar binary so it is only executable by its owner and group.