Hello,

The Amanda core team is pleased to announce the release of Amanda 3.3.9.

It is a security fix release, previous version of amanda allowed the 'amanda' user to run any code as root. Upgrade is not required if you trust the 'amanda' user.

Source tarballs are available from

  • http://www.amanda.org
  • https://sourceforge.net/project/showfiles.php?group_id=120

Binaries for many systems are available from

  • http://www.zmanda.com/download-amanda.php

Documentation can be found at

  • http://wiki.zmanda.com

Here's a list of the changes for release 3.3.9 (from the NEWS file):
Look at the ReleaseNotes and ChangeLog file for more details.

  • new --with-security-file configure option
    • It set the default security file
    • default to /etc/amanda-security.conf
  • security-fix
    • All previous release of amanda allow the 'amanda' user to execute any code as root, and to execute an interactive shell as root.
    • This is a security vulnerability if you do not trust the 'amanda' user.
    • There is no need to upgrade if you trust the 'amanda' user and the account is secure
      • good password
      • secure xinetd.conf setting
      • secure .amandahosts setting
    • The 'amanda' user can read all files in the machine, it is what a backup program do.
    • The set of fix disable the abilities to run unwanted code as root or to write file anywhere in the filesystem.
  • /etc/amanda-security.conf
    • A file that contains security setting.
    • It list all binaries amanda can execute as root
    • restore_by_amanda_user
      • It tell if the 'amanda' user can do restore as root.
      • It allow the 'amanda' user to write files anywhere in the filesystem
    • see: man amanda-security.conf
  • amgtar/amstar/ambsdtar/runtar
    • Disable arguments that can fork program.
    • Verify the realpath (with symbolic link resolved) is in the amanda-security.conf file.
    • Verify the tar/star/bsdtar realpath program is secure
      • owned by root and modifiable only by root.
    • On restore, check the restore_by_amanda_user setting if not run by root.


Jean-Louis Martineau