*BSD News Article 25208


Return to BSD News archive

Newsgroups: comp.os.386bsd.bugs
Path: sserve!newshost.anu.edu.au!munnari.oz.au!news.Hawaii.Edu!ames!sgi!geezer.denver.sgi.com!rhyolite.wpd.sgi.com!calcite!vjs
From: vjs@calcite.rhyolite.com (Vernon Schryver)
Subject: Re: [NetBSD V0.9] Crontab Security Problem
References: <MARK_WEAVER.93Dec18202545@localhost.cs.brown.edu> <CI9yvx.CIJ@puffin.uucp> <MARK_WEAVER.93Dec20031602@tonto-slip14.cis.brown.edu>
Organization: Rhyolite Software
Date: Mon, 20 Dec 1993 15:50:49 GMT
Message-ID: <CICC0q.58M@calcite.rhyolite.com>
Lines: 21

In article <MARK_WEAVER.93Dec20031602@tonto-slip14.cis.brown.edu> Mark_Weaver@brown.edu writes:
>....
>Your patch creates a race condition.  Consider the following scenario:
>
>touch myfile
>(crontab -r myfile &);usleep 10;ln -sf /etc/master.passwd myfile
>
>If you adjust the usleep properly so that the ln happens between the
>access call and the fopen call, then you've got the password file.
>For this reason, access(2) is completely useless to enforce the
>security of setuid root programs.


That's a very good reason for not using access(2).

What might be a slightly less interesting reason for the crontab command,
except for diskless machines, is that access(2) dos not tell you about an
NFS mounted file.  What the client thinks the server woud do should the
server actually be sent a read request is not always what the server does.

Vernon Schryver    vjs@rhyolite.com