Bug 684 - dump/restore setuid root
dump/restore setuid root
Status: CLOSED CURRENTRELEASE
Product: Red Hat Linux
Classification: Retired
Component: dump (Show other bugs)
5.2
All Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
: Security
Depends On: 626956
Blocks:
  Show dependency treegraph
 
Reported: 1999-01-04 15:50 EST by Alan Crosswell
Modified: 2011-03-28 11:53 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 1999-01-20 12:31:50 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Alan Crosswell 1999-01-04 15:50:38 EST
Isn't setuid root dump/restore a security hole?  Setuid dump
allows any user on your system to read the contents of any
file.  Setuid restore allows one to replace any file.
Unless the programs do some sanity checking.  Even if they
do, there's no reason for them to be setuid.

bash$ rpm -qilv dump | egrep
sbin/dump\|sbin/restore\|Version\|Release
Version     : 0.3                               Vendor: Red
Hat Software
Release     : 14                            Build Date: Tue
Jul 14 17:58:11 1998
-rwsr-sr-x     root     root      36644 Jul 14 17:58
/sbin/dump
-rwsr-sr-x     root     root      56732 Jul 14 17:58
/sbin/restore
Comment 1 David Lawrence 1999-01-04 16:00:59 EST
I have verified that the dump and restore binaries are setuid and
therefor am assigning this to a developer for further review.
Comment 2 Jeff Johnson 1999-01-20 12:31:59 EST
The dump/restore binaries need to be setuid root in
order to communicate to a remote host. Immediately
after parsing arguments and (possibly) establishing
the connection to the remote host, the uid is reverted
to the invoking user.

There was another minor problem, however. The group on
dump/restore should have been tty, not root. This has been
fixed in dump-0.3-16.

Note You need to log in before you can comment on or make changes to this bug.