Hobbit monitor: Security issue with Hobbit 4.2-beta client
I was just notified by a Hobbit user that the current beta client has
a security problem in the client "logfetch" utility, when installed as
suid-root (which is the default if "make install" is executed as root).
Impact
------
The effect of this is that any user who is able to login and create
files on a system with the Hobbit client installed, can use the "logfetch"
utility to get read access to any file on the system.
Which versions are affected
---------------------------
This issue affects all of the pre-release (alfa-, beta- and snapshot-versions)
of the Hobbit client version 4.2 released until today (2006-Jun-30), when the
client was installed as root and ~hobbit/client/bin/logfetch is suid-root.
The 4.1.x releases of the Hobbit client does not include the "logfetch"
utility, and are therefore NOT affected by this.
Remedy
------
It is recommended that you remove the suid bit from the logfetch utility
on systems where you have installed the Hobbit 4.2-beta client package.
To do this:
chmod 755 ~hobbit/client/bin/logfetch
Note that this may cause logfile monitoring to break, if the client does
not have read access to the monitored logfiles.
Running logfetch as suid-root will most likely be removed in the final
Hobbit 4.2 release of the client.
Regards,
Henrik Storner, the Hobbit developer