I was just notified by a Hobbit user that the current beta client has a security problem in the client "logfetch" utility, when installed as suid-root (which is the default if "make install" is executed as root).
Impact
The effect of this is that any user who is able to login and create files on a system with the Hobbit client installed, can use the "logfetch" utility to get read access to any file on the system.
Which versions are affected
This issue affects all of the pre-release (alfa-, beta- and snapshot-versions) of the Hobbit client version 4.2 released until today (2006-Jun-30), when the client was installed as root and ~hobbit/client/bin/logfetch is suid-root.
The 4.1.x releases of the Hobbit client does not include the "logfetch" utility, and are therefore NOT affected by this.
Remedy
It is recommended that you remove the suid bit from the logfetch utility on systems where you have installed the Hobbit 4.2-beta client package.
To do this: chmod 755 ~hobbit/client/bin/logfetch
Note that this may cause logfile monitoring to break, if the client does not have read access to the monitored logfiles.
Running logfetch as suid-root will most likely be removed in the final Hobbit 4.2 release of the client.
Regards,
Henrik Storner, the Hobbit developer