From owner-freebsd-security  Mon Apr 20 11:40:59 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id LAA07871
          for freebsd-security-outgoing; Mon, 20 Apr 1998 11:40:59 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from scanner.worldgate.com (scanner.worldgate.com [198.161.84.3])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA07758
          for <freebsd-security@freebsd.org>; Mon, 20 Apr 1998 18:40:12 GMT
          (envelope-from marcs@znep.com)
Received: from znep.com (uucp@localhost)
	by scanner.worldgate.com (8.8.7/8.8.7) with UUCP id MAA08982
	for freebsd-security@freebsd.org; Mon, 20 Apr 1998 12:40:03 -0600 (MDT)
Received: from localhost (marcs@localhost) by alive.znep.com (8.7.5/8.7.3) with SMTP id MAA26137 for <freebsd-security@freebsd.org>; Mon, 20 Apr 1998 12:39:35 -0600 (MDT)
Date: Mon, 20 Apr 1998 12:39:34 -0600 (MDT)
From: Marc Slemko <marcs@znep.com>
To: freebsd-security@FreeBSD.ORG
Subject: Re: suid/sgid programs
In-Reply-To: <199804201755.NAA13930@brain.zeus.leitch.com>
Message-ID: <Pine.BSF.3.95.980420123120.16057R-100000@alive.znep.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk

On Mon, 20 Apr 1998, Greg A. Woods wrote:

> [ On Sun, April 19, 1998 at 19:18:54 (-0500), Karl Denninger wrote: ]
> > Subject: Re: suid/sgid programs
> >
> > > > Same with crontab, at and batch.  *CRON* needs to run as root, but crontab 
> > > > and friends DO NOT.  They need to be SUID to something, but again, not root.
> > > 
> > > But if someone can break the uid that crontab runs as, they have root
> > > anyway.
> > 
> > Not necessarily.  There are ways around that problem.
> 
> I, for one, am all ears!  The only tricks I can think of are those that
> would work soley by obscurity, which with open source make them of
> little real value.  Other tricks, such as using some fancy IPC between
> crontab(1) and cron(8) may actually decrease security because the spread
> the responsibility for authentication and authorization over more code.
> Crontab(1) as-is can be programmed very simply and quite securely so
> long, and regardless of what UID it runs as to drop files into the
> queuing area, if that UID is cracked then root is as good as gone too,
> so one may as well just make crontab(1) set-UID root.

If you require that the crontab file be owned by the user whose crontab it
is you can probably do something.  Then crontab just has to flip to the
real uid from the euid that it is setuid to.  You may need to pop a setgid
in there instead to allow permission for crontab to create files with the
right owner.

It isn't as simple as this, however, since you now open the crontab file
to "outside" editing by the user.  In an ideal world it wouldn't matter,
however it needs to be checked.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message