Return to BSD News archive
Newsgroups: comp.os.386bsd.bugs
Path: sserve!newshost.anu.edu.au!munnari.oz.au!news.Hawaii.Edu!ames!elroy.jpl.nasa.gov!swrinde!cs.utexas.edu!uunet!boulder!nordsieck.cs.Colorado.EDU!millert
From: Todd C. Miller <millert@cs.Colorado.EDU>
Subject: Re: [NetBSD V0.9] Crontab Security Problem
Message-ID: <CI76zM.7qw@Colorado.EDU>
Originator: millert@nordsieck.cs.Colorado.EDU
Sender: news@Colorado.EDU (USENET News System)
Reply-To: millert@cs.Colorado.EDU (Todd C. Miller)
Organization: University of Colorado, Boulder
References: <9312171222.AA01518@fee.unicamp.br>
Date: Fri, 17 Dec 1993 21:14:09 GMT
Lines: 41
From the keyboard of Gorgonio@fee.unicamp.br:
>
> There is a rather large hole in crontab I figured I would make
> all aware of. The fix is simple, so it is not any big deal....
>
> crontab happens to be SUID with root level priv's, so a person,
> if they want your /etc/shadow can simply do a .....
>
> crontab -r /etc/shadow
> crontab -l
>
> crontab will grab a copy of the /etc/shadow, and place it as a job
> for the user to run in the /usr/spool/cron/crontabs. The -l will
> then display the jobs, thus resulting in giving up the password.
>
> ----- End Included Message -----
>
> It's also a NetBSD V0.9 hole!
Here's the fix I use. I had a nicer patch that I wrote but seem to have
nuked it during directory cleanup :-(
*** crontab.c Wed Jul 18 01:23:57 1990
--- ../../cron-2.1/crontab.c Tue Sep 14 19:34:10 1993
***************
*** 207,216 ****
--- 205,217 ----
if (!strcmp(Filename, "-")) {
NewCrontab = stdin;
} else {
+ /* swap effective/real uid to plug security hole */
+ setreuid(geteuid(), getuid());
if (!(NewCrontab = fopen(Filename, "r"))) {
perror(Filename);
exit(ERROR_EXIT);
}
+ setreuid(getuid(), geteuid());
}
}
--
Todd C. Miller Sysadmin--University of Colorado millert@cs.Colorado.EDU