Return to BSD News archive
Newsgroups: comp.os.386bsd.bugs Path: sserve!newshost.anu.edu.au!munnari.oz.au!news.Hawaii.Edu!ames!elroy.jpl.nasa.gov!grian!puffin!pete From: pete@puffin.uucp (Pete Carah) Subject: Re: [NetBSD V0.9] Crontab Security Problem References: <9312171222.AA01518@fee.unicamp.br> <CI76zM.7qw@Colorado.EDU> <MARK_WEAVER.93Dec18202545@localhost.cs.brown.edu> Organization: /usr/lib/news/organi[sz]ation Date: Sun, 19 Dec 1993 09:11:57 GMT Message-ID: <CI9yvx.CIJ@puffin.uucp> Lines: 45 In article <MARK_WEAVER.93Dec18202545@localhost.cs.brown.edu>, <Mark_Weaver@brown.edu> wrote: >In article <CI76zM.7qw@Colorado.EDU> Todd C. Miller <millert@cs.Colorado.EDU> writes: >> Here's the fix I use. I had a nicer patch that I wrote but seem to have >> nuked it during directory cleanup :-( >> >> *** crontab.c Wed Jul 18 01:23:57 1990 >> --- ../../cron-2.1/crontab.c Tue Sep 14 19:34:10 1993 >> *************** >> *** 207,216 **** >> --- 205,217 ---- >> if (!strcmp(Filename, "-")) { >> NewCrontab = stdin; >> } else { >> + /* swap effective/real uid to plug security hole */ >> + setreuid(geteuid(), getuid()); >> if (!(NewCrontab = fopen(Filename, "r"))) { >> perror(Filename); >> exit(ERROR_EXIT); >> } >> + setreuid(getuid(), geteuid()); >> } >> } >> -- >> Todd C. Miller Sysadmin--University of Colorado millert@cs.Colorado.EDU > >This patch is broken. That second call to setreuid should be exactly >the same as the first. Right now, that second call isn't doing Also, an easier fix is: if (!strcmp(Filename, "-")) { NewCrontab = stdin; } else { ! if (access(Filename, R_OK) < 0 || ! !(NewCrontab = fopen(Filename, "r"))) { perror(Filename); exit(ERROR_EXIT); } } -------------- access(2) uses the REuid for checks; it was meant for exactly this use. We don't have to check errno for permissions; it doesn't matter why access(2) fails. -- Pete