Mailinglist Archive: opensuse-bugs (3894 mails)

[bugzilla_noreply@xxxxxxxxxx]

https://bugzilla.novell.com/show_bug.cgi?id=758042

https://bugzilla.novell.com/show_bug.cgi?id=758042#c0


           Summary: Amanda binary /usr/sbin/amservice needs to be setuid
                    root:amanda
    Classification: openSUSE
           Product: openSUSE 12.1
           Version: Final
          Platform: Other
        OS/Version: Other
            Status: NEW
          Severity: Normal
          Priority: P5 - None
         Component: Security
        AssignedTo: security-team@xxxxxxx
        ReportedBy: darin@xxxxxxxxxx
         QAContact: qa-bugs@xxxxxxx
          Found By: ---
           Blocker: ---


User-Agent:       Mozilla/5.0 (X11; Linux i686; rv:11.0) Gecko/20100101
Firefox/11.0

/usr/sbin/amservice from the amanda package is meant to be setuid root:amanda
with permissions 4750.

1. Location of code:
https://github.com/zmanda/amanda/blob/master/common-src/amservice.c
2. Affected files: /usr/sbin/amservice
3. Reason why: The amservice command is used to execute an Amanda service on a
client or to check communication between a server and a client. When executed
on a client system as the amanda user, it will attempt the connect/bind to a
reserved tcp port between 512-1023 which fails because the setuid bit is not
set. Under normal operation, where backups are initiated from the server, this
does not matter, but with the addition of the amdump_client command, where a
backup may be initiated from the client, this is required.

http://en.opensuse.org/openSUSE:Security_packaging_policy#Setuid_binaries

Similar Fedora ticket:
https://bugzilla.redhat.com/show_bug.cgi?id=697933

amdump_client notes from mailing list:
http://old.nabble.com/using-amdump_client-td33704103.html

Reproducible: Always

Steps to Reproduce:
1.
2.
3.

-- 
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.