Return to BSD News archive
Newsgroups: comp.os.386bsd.questions
Path: sserve!newshost.anu.edu.au!munnari.oz.au!spool.mu.edu!howland.reston.ans.net!europa.eng.gtefsd.com!uunet!boulder!nordsieck.cs.colorado.edu!millert
From: Todd C. Miller <millert@Colorado.EDU>
Subject: Re: crond, crontab...turn it off.
Message-ID: <1993Sep15.020454.5035@colorado.edu>
Originator: millert@nordsieck.cs.colorado.edu
Sender: news@colorado.edu (The Daily Planet)
Nntp-Posting-Host: nordsieck.cs.colorado.edu
Reply-To: millert@Colorado.EDU (Todd C. Miller)
Organization: University of Colorado, Boulder
References: <2756t8INNgfd@xs4all.hacktic.nl>
Date: Wed, 15 Sep 1993 02:04:54 GMT
Lines: 33
From the keyboard of cor@hacktic.nl (Cor):
> I would suggest anyone who uses vixie's crond, to remove the suid
> bit on crontab(1). It is amazingly insecure. We've found at least
> 3 different bugs to get root, or to view any file on the system.
Here's a quick -n- dirty hack to avoid the "view any file" hole.
The right thing to do seems to be to swap real & effective uids on
startup of crontab and then only become root when you need to.
This patch sort of does the opposite, but I wanted to plug the hole
quickly...
- todd
*** crontab.c Wed Jul 18 01:23:57 1990
--- ../../cron-2.1/crontab.c Tue Sep 14 19:34:10 1993
***************
*** 207,216 ****
--- 205,217 ----
if (!strcmp(Filename, "-")) {
NewCrontab = stdin;
} else {
+ /* swap effective/real uid to plug security hole */
+ setreuid(geteuid(), getuid());
if (!(NewCrontab = fopen(Filename, "r"))) {
perror(Filename);
exit(ERROR_EXIT);
}
+ setreuid(getuid(), geteuid());
}
}
--
Todd C. Miller millert@Colorado.EDU