Date: Mon, 20 Apr 1998 15:34:21 -0400 (EDT) From: woods@zeus.leitch.com (Greg A. Woods) To: freebsd-security@FreeBSD.ORG Subject: Re: suid/sgid programs Message-ID: <199804201934.PAA14697@brain.zeus.leitch.com> In-Reply-To: Marc Slemko's message of "Mon, April 20, 1998 12:39:34 -0600" regarding "Re: suid/sgid programs" id <Pine.BSF.3.95.980420123120.16057R-100000@alive.znep.com> References: <199804201755.NAA13930@brain.zeus.leitch.com> <Pine.BSF.3.95.980420123120.16057R-100000@alive.znep.com>
next in thread | previous in thread | raw e-mail | index | archive | help
[ On Mon, April 20, 1998 at 12:39:34 (-0600), Marc Slemko wrote: ] > Subject: Re: suid/sgid programs > > If you require that the crontab file be owned by the user whose crontab it > is you can probably do something. Then crontab just has to flip to the > real uid from the euid that it is setuid to. You may need to pop a setgid > in there instead to allow permission for crontab to create files with the > right owner. Hmmm.... yes, set-GID would indeed be sufficient in this situation. I had earlier dismissed it because of the potential problem you mention below, and because I am worried about the risk of a denial-of-service attack should the special group-id be compromised (anyone's crontab, including root's, could be removed in that scenario). It also places the burden on cron for doing the authorization based on matching the user-id of the file to the filename (and thus for also avoiding race conditions when performing those checks, though this should be relatively easy with fstat(2)). In addition it further prevents one from ever allowing non-root chown(2) [even if you don't implement, or care about, quotas]. All-in-all though it may be less risky than keeping crontab(1) set-UID root! > It isn't as simple as this, however, since you now open the crontab file > to "outside" editing by the user. In an ideal world it wouldn't matter, > however it needs to be checked. No, not necessarily if you make the directory mode 770 or 570, and make the file mode 440 or even 040. That should be more than sufficient. Only if the user compromises the special group-id will such edits be possible. -- Greg A. Woods +1 416 443-1734 VE3TCP <gwoods@acm.org> <robohack!woods> Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199804201934.PAA14697>