*BSD News Article 20958


Return to BSD News archive

Newsgroups: comp.os.386bsd.questions
Path: sserve!newshost.anu.edu.au!munnari.oz.au!spool.mu.edu!howland.reston.ans.net!europa.eng.gtefsd.com!uunet!boulder!nordsieck.cs.colorado.edu!millert
From: Todd C. Miller <millert@Colorado.EDU>
Subject: Re: crond, crontab...turn it off.
Message-ID: <1993Sep15.020454.5035@colorado.edu>
Originator: millert@nordsieck.cs.colorado.edu
Sender: news@colorado.edu (The Daily Planet)
Nntp-Posting-Host: nordsieck.cs.colorado.edu
Reply-To: millert@Colorado.EDU (Todd C. Miller)
Organization: University of Colorado, Boulder
References: <2756t8INNgfd@xs4all.hacktic.nl>
Date: Wed, 15 Sep 1993 02:04:54 GMT
Lines: 33

From the keyboard of cor@hacktic.nl (Cor):
> I would suggest anyone who uses vixie's crond, to remove the suid
> bit on crontab(1). It is amazingly insecure. We've found at least
> 3 different bugs to get root, or to view any file on the system.

Here's a quick -n- dirty hack to avoid the "view any file" hole.
The right thing to do seems to be to swap real & effective uids on
startup of crontab and then only become root when you need to.
This patch sort of does the opposite, but I wanted to plug the hole
quickly...

 - todd

*** crontab.c	Wed Jul 18 01:23:57 1990
--- ../../cron-2.1/crontab.c	Tue Sep 14 19:34:10 1993
***************
*** 207,216 ****
--- 205,217 ----
  		if (!strcmp(Filename, "-")) {
  			NewCrontab = stdin;
  		} else {
+ 			/* swap effective/real uid to plug security hole */
+ 			setreuid(geteuid(), getuid());
  			if (!(NewCrontab = fopen(Filename, "r"))) {
  				perror(Filename);
  				exit(ERROR_EXIT);
  			}
+ 			setreuid(getuid(), geteuid());
  		}
  	}
  
-- 
                    Todd C. Miller          millert@Colorado.EDU