*BSD News Article 25138


Return to BSD News archive

Newsgroups: comp.os.386bsd.bugs
Path: sserve!newshost.anu.edu.au!munnari.oz.au!news.Hawaii.Edu!ames!sgiblab!brunix!cs.brown.edu!Mark_Weaver
From: Mark_Weaver@brown.edu
Subject: Re: [NetBSD V0.9] Crontab Security Problem
In-Reply-To: Todd C. Miller's message of Fri, 17 Dec 1993 21:14:09 GMT
Message-ID: <MARK_WEAVER.93Dec18202545@localhost.cs.brown.edu>
Sender: news@cs.brown.edu
Reply-To: Mark_Weaver@brown.edu
Organization: Brown University Department of Computer Science
References: <9312171222.AA01518@fee.unicamp.br> <CI76zM.7qw@Colorado.EDU>
Date: Sun, 19 Dec 1993 01:25:45 GMT
Lines: 32

In article <CI76zM.7qw@Colorado.EDU> Todd C. Miller <millert@cs.Colorado.EDU> writes:
> Here's the fix I use.  I had a nicer patch that I wrote but seem to have
> nuked it during directory cleanup :-(
> 
> *** crontab.c	Wed Jul 18 01:23:57 1990
> --- ../../cron-2.1/crontab.c	Tue Sep 14 19:34:10 1993
> ***************
> *** 207,216 ****
> --- 205,217 ----
>   		if (!strcmp(Filename, "-")) {
>   			NewCrontab = stdin;
>   		} else {
> + 			/* swap effective/real uid to plug security hole */
> + 			setreuid(geteuid(), getuid());
>   			if (!(NewCrontab = fopen(Filename, "r"))) {
>   				perror(Filename);
>   				exit(ERROR_EXIT);
>   			}
> + 			setreuid(getuid(), geteuid());
>   		}
>   	}
> -- 
>   Todd C. Miller    Sysadmin--University of Colorado    millert@cs.Colorado.EDU

This patch is broken.  That second call to setreuid should be exactly
the same as the first.  Right now, that second call isn't doing
anything but wasting CPU cycles.  :-)

	Mark
--------------------------------------------------------------------
Email: Mark_Weaver@brown.edu           | Brown University
PGP Key: finger mhw@cs.brown.edu       | Dept of Computer Science