Amanda-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Runtar error

2005-02-21 16:19:39
Subject: RE: Runtar error
From: "Dege, Robert C." <robert.dege AT ngc DOT com>
To: "Amanda Mailing List" <amanda-users AT amanda DOT org>
Date: Mon, 21 Feb 2005 15:01:36 -0600 
Excellent point, Eric.  My local automounter was mounting my NFS shares
with nosuid.  I have removed that entry.

I no longer see nosuid in my mount listings.  Lesse if it works :)

-Rob

PS - I'm crossing my fingers!


> -----Original Message-----
> From: owner-amanda-users AT amanda DOT org 
> [mailto:owner-amanda-users AT amanda DOT org] On Behalf Of Eric Siegerman
> Sent: Monday, February 21, 2005 2:54 PM
> To: Amanda Mailing List
> Subject: Re: Runtar error
> 
> On Fri, Feb 18, 2005 at 09:10:30AM -0600, Dege, Robert C. wrote:
> > runtar: error [must be setuid root]
> 
> On Fri, Feb 18, 2005 at 10:49:46AM -0600, Dege, Robert C. wrote:
> > -rwsr-x---  1 root   amanda  9947 Feb 16 10:43 runtar
> > [plus evidence that this copy of runtar *is* the one being used]
> 
> Hmm, that looks like runtar complaining, so it must have been 
> executed.  That argues against the hypothesis that Amanda 
> can't run runtar at all because it's not in the "amanda" group.
> 
> And runtar clearly is setuid root.
> 
> I wonder if the file system is mounted "nosuid".....  You 
> could test it by copying the "id" program into the directory 
> where runtar lives, making it setuid root, and running it as 
> a nonroot user to see what it says.  (MAKE SURE to nuke your 
> copy as soon as you're finished with it; "id" presumably 
> hasn't been audited for setuid-safety!)
> 
> On a Solaris box, I get (I've edited out the list of secondary
> groups):
>     % pwd
>     /home/erics/test
> 
>     % ls -ld id
>     // I took away its world-execute more for security paranoia
>     // than for the sake of strictly emulating runtar's perms
>     -rwsr-x---   1 root     erics       8044 Feb 21 14:39 id
> 
>     // The real "id" command just says I'm me -- ho hum
>     % /bin/id -a
>     uid=1000(erics) gid=1000(erics) groups=...
> 
>     // My setuid-root "id" command.  Still says my uid is my own,
>     // but note the "euid=0(root)"; that's what we're looking
>     // for.  (euid==0 && uid==<yours>) is the sign of a
>     // setuid-root executable.  (Similarly with gid's for setgid,
>     // but that's not relevent here.)
>     % ./id -a
>     uid=1000(erics) gid=1000(erics) euid=0(root) groups=...
> 
>     // And just as a check, run it from a root shell; the "euid="
>     // has gone away, since both euid and ruid are now both 0.
>     # ./id -a
>     uid=0(root) gid=1(other) groups=...
> 
> --
> 
> |  | /\
> |-_|/  >   Eric Siegerman, Toronto, Ont.        erics AT telepres DOT com
> |  |  /
> The animal that coils in a circle is the serpent; that's why 
> so many cults and myths of the serpent exist, because it's 
> hard to represent the return of the sun by the coiling of a 
> hippopotamus.
>       - Umberto Eco, "Foucault's Pendulum"
>
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Runtar error, Eric Siegerman
Next by Date:  Re: Runtar error, Gene Heskett
Previous by Thread:  Re: Runtar error, Gene Heskett
Next by Thread:  RE: Runtar error, Dege, Robert C.
Indexes:  [Date] [Thread] [Top] [All Lists]