Return to BSD News archive
Newsgroups: comp.os.386bsd.bugs
Path: sserve!newshost.anu.edu.au!munnari.oz.au!news.Hawaii.Edu!ames!sgiblab!brunix!cs.brown.edu!Mark_Weaver
From: Mark_Weaver@brown.edu
Subject: Re: [NetBSD V0.9] Crontab Security Problem
In-Reply-To: Todd C. Miller's message of Fri, 17 Dec 1993 21:14:09 GMT
Message-ID: <MARK_WEAVER.93Dec18202545@localhost.cs.brown.edu>
Sender: news@cs.brown.edu
Reply-To: Mark_Weaver@brown.edu
Organization: Brown University Department of Computer Science
References: <9312171222.AA01518@fee.unicamp.br> <CI76zM.7qw@Colorado.EDU>
Date: Sun, 19 Dec 1993 01:25:45 GMT
Lines: 32
In article <CI76zM.7qw@Colorado.EDU> Todd C. Miller <millert@cs.Colorado.EDU> writes:
> Here's the fix I use. I had a nicer patch that I wrote but seem to have
> nuked it during directory cleanup :-(
>
> *** crontab.c Wed Jul 18 01:23:57 1990
> --- ../../cron-2.1/crontab.c Tue Sep 14 19:34:10 1993
> ***************
> *** 207,216 ****
> --- 205,217 ----
> if (!strcmp(Filename, "-")) {
> NewCrontab = stdin;
> } else {
> + /* swap effective/real uid to plug security hole */
> + setreuid(geteuid(), getuid());
> if (!(NewCrontab = fopen(Filename, "r"))) {
> perror(Filename);
> exit(ERROR_EXIT);
> }
> + setreuid(getuid(), geteuid());
> }
> }
> --
> Todd C. Miller Sysadmin--University of Colorado millert@cs.Colorado.EDU
This patch is broken. That second call to setreuid should be exactly
the same as the first. Right now, that second call isn't doing
anything but wasting CPU cycles. :-)
Mark
--------------------------------------------------------------------
Email: Mark_Weaver@brown.edu | Brown University
PGP Key: finger mhw@cs.brown.edu | Dept of Computer Science