From owner-freebsd-security@freebsd.org Thu Sep 1 13:37:48 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 44912BCAB94 for ; Thu, 1 Sep 2016 13:37:48 +0000 (UTC) (envelope-from kitchetech@gmail.com) Received: from mail-ua0-x233.google.com (mail-ua0-x233.google.com [IPv6:2607:f8b0:400c:c08::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id F1349916 for ; Thu, 1 Sep 2016 13:37:47 +0000 (UTC) (envelope-from kitchetech@gmail.com) Received: by mail-ua0-x233.google.com with SMTP id m60so145423866uam.3 for ; Thu, 01 Sep 2016 06:37:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=MNrpZt5fa7ea6qfeIyomBqf/cMT9nEs5ydPjzwh4G9A=; b=lAmJ6n+R0bRVMAToIteV7jsYucIQx1cs5pKTHIRz2uGrGBPkyAkiRQs7x7ziZoU1NN zCzFy2/YIdlcW8PDMIN46CrM/kpLWCpDnDb/W+u4CuKF5tuNAIWi21yFsWdEofl6KwpW d82xysb9tMQDHElRZZqQOVxAnJcXA7oDH57wYBc1nGr12+ZoNuyRcN2zNYX90+r97zzv ahOcXtaUHFaHlcYx4K5uHGHAUi8y4buvR3R6BgpJhebpJg+JrvTLzo/tj9BXvodAYdlp P6X+Rlcew/Rq0RKySMSdGSbKmRcjIH5y8tsfupx3nWEAwfGjI2pRy2Kw/wC0Ex5M3Cc1 pIlA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=MNrpZt5fa7ea6qfeIyomBqf/cMT9nEs5ydPjzwh4G9A=; b=B+xP5GQSZgkOT/tlUZFMD4qgVdvTZNtflGYczCYvNbHr/k7DRKnSjXEHT+CZbnRiO3 uXj4jq2mAaPNZ8eyRZchyJjgeXtYrbfdWOcIdDBowNovkLmBZqyrqpcvzw0eBfgR+M0H ZJ/9dFV3TNyclyqEWEeT/B99ikFS0CsHUjr7WsZxY7xwls+TMUQr31dOSYCHRLTV394h uU4g8HuHbWGC7qy3Ceb5qdUylYUvG8+eHFnTsoB48guij17PaCSSHWMDb3A5O2mcyYjZ ngftFrWLmJBICJMVPmcyEDpb8Dq1bI/IjVUINogAsTcV6xWWOY/UXrB4e1caDNG2uxIk 66Lw== X-Gm-Message-State: AE9vXwNrNeScDQqMN9csbvh4nTGrZAqu8IrAWuHwo0RQy6Oo2pFnVKHtvkYuTl+01aDWGM15X2UKLFXNG9bJ/w== X-Received: by 10.31.79.66 with SMTP id d63mr9412284vkb.96.1472737067077; Thu, 01 Sep 2016 06:37:47 -0700 (PDT) MIME-Version: 1.0 Received: by 10.31.138.206 with HTTP; Thu, 1 Sep 2016 06:37:46 -0700 (PDT) Received: by 10.31.138.206 with HTTP; Thu, 1 Sep 2016 06:37:46 -0700 (PDT) In-Reply-To: References: From: Matt Donovan Date: Thu, 1 Sep 2016 08:37:46 -0500 Message-ID: Subject: Re: edit others user crontab, security bug To: Andrii Kuzik Cc: freebsd-security Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.22 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Sep 2016 13:37:48 -0000 So your doing it as root. Root can do that. As it has access to everything. On Sep 1, 2016 8:15 AM, "Andrii Kuzik" wrote: > Probably a lot of freebsd servers affected > > Security bug allows to edit other users crontab > > root# pw useradd -n www.promspecbud.com -g nobody -s /bin/sh -d /tmp > root# pw useradd -n www.promspecbud.com.other -g nobody -s /bin/sh -d /tmp > root# echo @daily doit baby > /tmp/test > root# crontab -u www.promspecbud.com.other /tmp/test > root# crontab -u www.promspecbud.com -l > > =====output ===== > @daily doit baby > ================= > > root#echo @daily doit baby one more time>> /tmp/test > root#sudo -u www.promspecbud.com.other crontab /tmp/test > root#sudo -u www.promspecbud.com crontab -l > =====output ===== > @daily doit baby > @daily doit baby one more time > ================= > > root# uname -a > FreeBSD kuzik 10.3-RELEASE FreeBSD 10.3-RELEASE #0 r297264: Fri Mar 25 > 02:10:02 UTC 2016 > root@releng1.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64 > > best regards, Andrii Kuzik > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org > " >