Return to BSD News archive
Path: sserve!newshost.anu.edu.au!munnari.oz.au!network.ucsd.edu!ogicse!uwm.edu!cs.utexas.edu!not-for-mail From: Gorgonio@fee.unicamp.br Newsgroups: comp.os.386bsd.bugs Subject: [NetBSD V0.9] Crontab Security Problem Message-ID: <9312171222.AA01518@fee.unicamp.br> Date: 17 Dec 93 00:18:31 GMT Article-I.D.: fee.9312171222.AA01518 Sender: daemon@cs.utexas.edu Organization: UTexas Mail-to-News Gateway Lines: 46 NNTP-Posting-Host: cs.utexas.edu [...] From: dreid@mailer.fsu.edu (Debi Reid) Date: 11 Dec 93 20:17:50 GMT Organization: Florida State University ACNS NNTP-Posting-Host: mailer.fsu.edu Lines: 24 There is a rather large hole in crontab I figured I would make all aware of. The fix is simple, so it is not any big deal.... crontab happens to be SUID with root level priv's, so a person, if they want your /etc/shadow can simply do a ..... crontab -r /etc/shadow crontab -l crontab will grab a copy of the /etc/shadow, and place it as a job for the user to run in the /usr/spool/cron/crontabs. The -l will then display the jobs, thus resulting in giving up the password. I read about this on a "underground echo", and this person mentioned that this worked on Linux boxes.. <Echo was henced named CCi Cyber Crime International, I believe.... Anyrate>.. I run a Linux box that several people have access to, and though you might wish to know about this.. the fix is simple, dont let users run crontab.... Thats the way I solved it.. Anyrate, any questions please mail me... Also, I am not intrested in the moral rights and wrongs of this post, so if you do not like it, dont read it... ----- End Included Message ----- It's also a NetBSD V0.9 hole! Gorgonio ================================================================================ Gorgonio B. Ara'ujo |SIFEE - FEE - UNICAMP Support Engineer |13.081.970 - Campinas/SP - Brazil |phone: +55 192 397421 |fax: +55 192 391395 |Internet: Gorgonio@fee.unicamp.br ================================================================================