From owner-freebsd-security Mon Apr 20 12:34:34 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA22849 for freebsd-security-outgoing; Mon, 20 Apr 1998 12:34:34 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gateman.zeus.leitch.com (gateman.zeus.leitch.com [204.187.61.193]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA22814 for ; Mon, 20 Apr 1998 19:34:21 GMT (envelope-from woods@tap.zeus.leitch.com) Received: from zeus.leitch.com (tap.zeus.leitch.com [204.187.61.10]) by gateman.zeus.leitch.com (8.8.5/8.7.3/1.0) with ESMTP id PAA19182 for ; Mon, 20 Apr 1998 15:34:22 -0400 (EDT) Received: from brain.zeus.leitch.com (brain.zeus.leitch.com [204.187.61.32]) by zeus.leitch.com (8.7.5/8.7.3/1.0) with ESMTP id PAA24315 for ; Mon, 20 Apr 1998 15:34:21 -0400 (EDT) Received: (from woods@localhost) by brain.zeus.leitch.com (8.8.8/8.8.8) id PAA14697; Mon, 20 Apr 1998 15:34:21 -0400 (EDT) (envelope-from woods@tap.zeus.leitch.com) Date: Mon, 20 Apr 1998 15:34:21 -0400 (EDT) Message-Id: <199804201934.PAA14697@brain.zeus.leitch.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit From: woods@zeus.leitch.com (Greg A. Woods) To: freebsd-security@FreeBSD.ORG Subject: Re: suid/sgid programs In-Reply-To: Marc Slemko's message of "Mon, April 20, 1998 12:39:34 -0600" regarding "Re: suid/sgid programs" id References: <199804201755.NAA13930@brain.zeus.leitch.com> X-Mailer: VM 6.45 under Emacs 20.2.1 Reply-To: woods@zeus.leitch.com (Greg A. Woods) Organization: Planix, Inc.; Toronto, Ontario; Canada Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk [ On Mon, April 20, 1998 at 12:39:34 (-0600), Marc Slemko wrote: ] > Subject: Re: suid/sgid programs > > If you require that the crontab file be owned by the user whose crontab it > is you can probably do something. Then crontab just has to flip to the > real uid from the euid that it is setuid to. You may need to pop a setgid > in there instead to allow permission for crontab to create files with the > right owner. Hmmm.... yes, set-GID would indeed be sufficient in this situation. I had earlier dismissed it because of the potential problem you mention below, and because I am worried about the risk of a denial-of-service attack should the special group-id be compromised (anyone's crontab, including root's, could be removed in that scenario). It also places the burden on cron for doing the authorization based on matching the user-id of the file to the filename (and thus for also avoiding race conditions when performing those checks, though this should be relatively easy with fstat(2)). In addition it further prevents one from ever allowing non-root chown(2) [even if you don't implement, or care about, quotas]. All-in-all though it may be less risky than keeping crontab(1) set-UID root! > It isn't as simple as this, however, since you now open the crontab file > to "outside" editing by the user. In an ideal world it wouldn't matter, > however it needs to be checked. No, not necessarily if you make the directory mode 770 or 570, and make the file mode 440 or even 040. That should be more than sufficient. Only if the user compromises the special group-id will such edits be possible. -- Greg A. Woods +1 416 443-1734 VE3TCP Planix, Inc. ; Secrets of the Weird To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message