Return to BSD News archive
Newsgroups: comp.os.386bsd.bugs
Path: sserve!newshost.anu.edu.au!munnari.oz.au!news.Hawaii.Edu!ames!nic.hookup.net!swrinde!cs.utexas.edu!uunet!brunix!cs.brown.edu!Mark_Weaver
From: Mark_Weaver@brown.edu
Subject: Re: [NetBSD V0.9] Crontab Security Problem
In-Reply-To: pete@puffin.uucp's message of Sun, 19 Dec 1993 09:11:57 GMT
Message-ID: <MARK_WEAVER.93Dec20031602@tonto-slip14.cis.brown.edu>
Sender: news@cs.brown.edu
Reply-To: Mark_Weaver@brown.edu
Organization: Brown University Department of Computer Science
References: <9312171222.AA01518@fee.unicamp.br> <CI76zM.7qw@Colorado.EDU>
<MARK_WEAVER.93Dec18202545@localhost.cs.brown.edu>
<CI9yvx.CIJ@puffin.uucp>
Date: Mon, 20 Dec 1993 08:16:02 GMT
Lines: 31
In article <CI9yvx.CIJ@puffin.uucp> pete@puffin.uucp (Pete Carah) writes:
> Also, an easier fix is:
> if (!strcmp(Filename, "-")) {
> NewCrontab = stdin;
> } else {
> ! if (access(Filename, R_OK) < 0 ||
> ! !(NewCrontab = fopen(Filename, "r"))) {
> perror(Filename);
> exit(ERROR_EXIT);
> }
> }
> --------------
> access(2) uses the REuid for checks; it was meant for exactly this use.
> We don't have to check errno for permissions; it doesn't matter why
> access(2) fails.
Your patch creates a race condition. Consider the following scenario:
touch myfile
(crontab -r myfile &);usleep 10;ln -sf /etc/master.passwd myfile
If you adjust the usleep properly so that the ln happens between the
access call and the fopen call, then you've got the password file.
For this reason, access(2) is completely useless to enforce the
security of setuid root programs.
Mark
--------------------------------------------------------------------
Email: Mark_Weaver@brown.edu | Brown University
PGP Key: finger mhw@cs.brown.edu | Dept of Computer Science