Return to BSD News archive
Newsgroups: comp.os.386bsd.bugs
Path: sserve!newshost.anu.edu.au!munnari.oz.au!bunyip.cc.uq.oz.au!harbinger.cc.monash.edu.au!yeshua.marcam.com!usc!cs.utexas.edu!uunet!boulder!nordsieck.cs.Colorado.EDU!millert
From: Todd C. Miller <millert@cs.Colorado.EDU>
Subject: Re: [NetBSD V0.9] Crontab Security Problem
Message-ID: <CICvyw.KCI@Colorado.EDU>
Originator: millert@nordsieck.cs.Colorado.EDU
Sender: news@Colorado.EDU (USENET News System)
Reply-To: millert@cs.Colorado.EDU (Todd C. Miller)
Organization: University of Colorado, Boulder
References: <9312171222.AA01518@fee.unicamp.br> <CI76zM.7qw@Colorado.EDU> <MARK_WEAVER.93Dec18202545@localhost.cs.brown.edu>
Date: Mon, 20 Dec 1993 23:01:44 GMT
Lines: 39
From the keyboard of Mark_Weaver@brown.edu:
> In article <CI76zM.7qw@Colorado.EDU> Todd C. Miller <millert@cs.Colorado.EDU> writes:
> > Here's the fix I use. I had a nicer patch that I wrote but seem to have
> > nuked it during directory cleanup :-(
> >
> > *** crontab.c Wed Jul 18 01:23:57 1990
> > --- ../../cron-2.1/crontab.c Tue Sep 14 19:34:10 1993
> > ***************
> > *** 207,216 ****
> > --- 205,217 ----
> > if (!strcmp(Filename, "-")) {
> > NewCrontab = stdin;
> > } else {
> > + /* swap effective/real uid to plug security hole */
> > + setreuid(geteuid(), getuid());
> > if (!(NewCrontab = fopen(Filename, "r"))) {
> > perror(Filename);
> > exit(ERROR_EXIT);
> > }
> > + setreuid(getuid(), geteuid());
> > }
> > }
> > --
> > Todd C. Miller Sysadmin--University of Colorado millert@cs.Colorado.EDU
>
> This patch is broken. That second call to setreuid should be exactly
> the same as the first. Right now, that second call isn't doing
> anything but wasting CPU cycles. :-)
>
> Mark
> --------------------------------------------------------------------
> Email: Mark_Weaver@brown.edu | Brown University
> PGP Key: finger mhw@cs.brown.edu | Dept of Computer Science
Whoops, thanks for pointing that out.
- todd
--
Todd C. Miller Sysadmin--University of Colorado millert@cs.Colorado.EDU