Date: Thu, 01 Sep 2016 22:43:58 +0900 From: Edho Arief <me@myconan.net> To: freebsd-security@freebsd.org Subject: Re: edit others user crontab, security bug Message-ID: <1472737438.3589865.712736753.5CFBB0DC@webmail.messagingengine.com> In-Reply-To: <CA%2Bf9Cbu8q2KngxgAmZ8BrKYyYC5okDcMAs4nd=SJS6YpBMRJcQ@mail.gmail.com> References: <CA%2Bf9Cbu8q2KngxgAmZ8BrKYyYC5okDcMAs4nd=SJS6YpBMRJcQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi,
On Thu, Sep 1, 2016, at 21:47, Andrii Kuzik wrote:
> Probably a lot of freebsd servers affected
>
> Security bug allows to edit other users crontab
>
> root# pw useradd -n www.promspecbud.com -g nobody -s /bin/sh -d /tmp
> root# pw useradd -n www.promspecbud.com.other -g nobody -s /bin/sh -d
> /tmp
> root# echo @daily doit baby > /tmp/test
> root# crontab -u www.promspecbud.com.other /tmp/test
> root# crontab -u www.promspecbud.com -l
>
> =====output =====
> @daily doit baby
> =================
>
> root#echo @daily doit baby one more time>> /tmp/test
> root#sudo -u www.promspecbud.com.other crontab /tmp/test
> root#sudo -u www.promspecbud.com crontab -l
> =====output =====
> @daily doit baby
> @daily doit baby one more time
> =================
>
to be more specific, the bug is crontab truncates usernames to 19
characters as defined in cron.h:
#define MAX_UNAME 20 /* max length of username, should be
overkill */
# pw useradd users12345names67890
# crontab -u users12345names67890 -l
crontab: no crontab for users12345names6789
^-- cut off
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1472737438.3589865.712736753.5CFBB0DC>