OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: BRU Vulnerability
From: Theo Van Dinter (felicityKLUGE.NET)
Date: Sun Jun 11 2000 - 15:31:30 CDT

On Thu, Jun 08, 2000 at 02:05:26PM -0700, Jeremy Rauch wrote:
> By default, BRU is installed setuid root. If it isn't, and is run by a
> non-root user, it complains:
> bru: [W171] warning - BRU must be owned by root and have suid bit set

Clarification request: Which version of BRU? I got the RPM version of
BRU 2000 (v15 I believe) w/ a RedHat box set I bought one day:

> rpm -q BRU2000
BRU2000-15.0P-2
> rpm -V BRU2000
..?..... /bin/bru
..?..... /bru/bru
S.5....T c /etc/brutab
> ls -la /bin/bru
-rwx--x--x 1 root root 157396 Dec 18 1997 /bin/bru

The "rpm -V" shows no permissions difference between installed and package,
and the /bin/bru program isn't setuid. It does complain about being
non-setuid, but it works just the same without it.

> Many (most) users who install BRU probably never think to check if its
> installed setuid. Should it be? Probably not, but it is a very real
> vulnerability under a default install.

If you're worried about security, you should have done the standard

find / -perm +6000 -print

or the appropriate version thereof to find all of the setuid/gid programs on
your system. Standard security practice. If it has it but doesn't need it,
take it away. 

--
Randomly Generated Tagline:
"Premature optimisation is the root of all evil." - Knuth