Return to BSD News archive
Newsgroups: comp.os.386bsd.questions Path: sserve!newshost.anu.edu.au!munnari.oz.au!spool.mu.edu!howland.reston.ans.net!europa.eng.gtefsd.com!uunet!boulder!nordsieck.cs.colorado.edu!millert From: Todd C. Miller <millert@Colorado.EDU> Subject: Re: crond, crontab...turn it off. Message-ID: <1993Sep15.020454.5035@colorado.edu> Originator: millert@nordsieck.cs.colorado.edu Sender: news@colorado.edu (The Daily Planet) Nntp-Posting-Host: nordsieck.cs.colorado.edu Reply-To: millert@Colorado.EDU (Todd C. Miller) Organization: University of Colorado, Boulder References: <2756t8INNgfd@xs4all.hacktic.nl> Date: Wed, 15 Sep 1993 02:04:54 GMT Lines: 33 From the keyboard of cor@hacktic.nl (Cor): > I would suggest anyone who uses vixie's crond, to remove the suid > bit on crontab(1). It is amazingly insecure. We've found at least > 3 different bugs to get root, or to view any file on the system. Here's a quick -n- dirty hack to avoid the "view any file" hole. The right thing to do seems to be to swap real & effective uids on startup of crontab and then only become root when you need to. This patch sort of does the opposite, but I wanted to plug the hole quickly... - todd *** crontab.c Wed Jul 18 01:23:57 1990 --- ../../cron-2.1/crontab.c Tue Sep 14 19:34:10 1993 *************** *** 207,216 **** --- 205,217 ---- if (!strcmp(Filename, "-")) { NewCrontab = stdin; } else { + /* swap effective/real uid to plug security hole */ + setreuid(geteuid(), getuid()); if (!(NewCrontab = fopen(Filename, "r"))) { perror(Filename); exit(ERROR_EXIT); } + setreuid(getuid(), geteuid()); } } -- Todd C. Miller millert@Colorado.EDU