Return to BSD News archive
Newsgroups: comp.os.386bsd.bugs Path: sserve!newshost.anu.edu.au!munnari.oz.au!news.Hawaii.Edu!ames!sgiblab!brunix!cs.brown.edu!Mark_Weaver From: Mark_Weaver@brown.edu Subject: Re: [NetBSD V0.9] Crontab Security Problem In-Reply-To: Todd C. Miller's message of Fri, 17 Dec 1993 21:14:09 GMT Message-ID: <MARK_WEAVER.93Dec18202545@localhost.cs.brown.edu> Sender: news@cs.brown.edu Reply-To: Mark_Weaver@brown.edu Organization: Brown University Department of Computer Science References: <9312171222.AA01518@fee.unicamp.br> <CI76zM.7qw@Colorado.EDU> Date: Sun, 19 Dec 1993 01:25:45 GMT Lines: 32 In article <CI76zM.7qw@Colorado.EDU> Todd C. Miller <millert@cs.Colorado.EDU> writes: > Here's the fix I use. I had a nicer patch that I wrote but seem to have > nuked it during directory cleanup :-( > > *** crontab.c Wed Jul 18 01:23:57 1990 > --- ../../cron-2.1/crontab.c Tue Sep 14 19:34:10 1993 > *************** > *** 207,216 **** > --- 205,217 ---- > if (!strcmp(Filename, "-")) { > NewCrontab = stdin; > } else { > + /* swap effective/real uid to plug security hole */ > + setreuid(geteuid(), getuid()); > if (!(NewCrontab = fopen(Filename, "r"))) { > perror(Filename); > exit(ERROR_EXIT); > } > + setreuid(getuid(), geteuid()); > } > } > -- > Todd C. Miller Sysadmin--University of Colorado millert@cs.Colorado.EDU This patch is broken. That second call to setreuid should be exactly the same as the first. Right now, that second call isn't doing anything but wasting CPU cycles. :-) Mark -------------------------------------------------------------------- Email: Mark_Weaver@brown.edu | Brown University PGP Key: finger mhw@cs.brown.edu | Dept of Computer Science