From owner-freebsd-security@freebsd.org Thu Sep 1 18:10:07 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3CF3DBCB086 for ; Thu, 1 Sep 2016 18:10:07 +0000 (UTC) (envelope-from rollingbits@gmail.com) Received: from mail-it0-x236.google.com (mail-it0-x236.google.com [IPv6:2607:f8b0:4001:c0b::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 07562982 for ; Thu, 1 Sep 2016 18:10:07 +0000 (UTC) (envelope-from rollingbits@gmail.com) Received: by mail-it0-x236.google.com with SMTP id e124so118844431ith.0 for ; Thu, 01 Sep 2016 11:10:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=/JSrcVuMfDgwnmVdIsxTO0rIHkEflRNnlYMCY1fj82w=; b=t7S/dkXTNYNYbK8OVt2f90t58k+A5BgM4IWedRnjkxrxcW5/osr99nvoxZ4QxxM87H 2f3Afq9jjWO/BKPocLf42g665R3SEwOnd9Ol9yv6bIrvUm4xE+VgubzQXPSVDCyWkUnT 9bQhJ0QN832zHvpHbPWAKreJoZPQiOduzCPiss05c/utV/2w1SaFLVrBN93km8QgwYTy vB8RK93NaogvSr8X57m56m3pbbRwcvQESKAGIpFqCKgO59ay4HtxSOIKhu0U+M0grQfq z31G7YAMQQgO8sZNhpK0jJQQvleT7gqVXfTVSJ58xmBy5yR44Kh4Aq1ZbtugforW/il9 Bt6Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=/JSrcVuMfDgwnmVdIsxTO0rIHkEflRNnlYMCY1fj82w=; b=IsC5/gUrPkkNL5M+h2bSbtJJ3nxR1OdDR0jg/MgDWp/RIWJlMZ++PD6FEyL/8Dg1DQ kL3tG6YEjwEjIMNIK5ufvwa9qP7InG4iKfcj6h5+oHlW+wdY1QMuT17hWZCA429ZgZNN Xaz5kBIOag34e8BF4yIk8LwPH4K8peGmtD/EtDlySr//Q+HiJjt0pKWc5X3tuamNDia6 9qj8uDy2tYOZRmoDUYuVoC1EXUOini33Rzn4+KA4OogusWUbhC4J+eFnFuSUS6x5RaI1 0P64F/Ewv8DwdRSKrOq1vvCS0asS1fNdmHTxOLhnZv7P11P62ngpDBGgx/4uw6f4R7Hl Uz+g== X-Gm-Message-State: AE9vXwNDRSnAfN2OyxXFqlGygeJp5cQqiWrAM6I9q8SCzldoBSW4cLMNjs/Boflr+laHDHcBrIqQ3ES8MERvVg== X-Received: by 10.36.87.212 with SMTP id u203mr32475461ita.7.1472753406363; Thu, 01 Sep 2016 11:10:06 -0700 (PDT) MIME-Version: 1.0 Received: by 10.79.84.2 with HTTP; Thu, 1 Sep 2016 11:10:05 -0700 (PDT) In-Reply-To: References: From: "rollingbits (Lucas)" Date: Thu, 1 Sep 2016 15:10:05 -0300 Message-ID: Subject: Re: edit others user crontab, security bug To: Matt Donovan Cc: Andrii Kuzik , freebsd-security Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Sep 2016 18:10:07 -0000 On Thu, Sep 1, 2016 at 10:37 AM, Matt Donovan wrote: > On Sep 1, 2016 8:15 AM, "Andrii Kuzik" wrote: (...) >> root# crontab -u www.promspecbud.com.other /tmp/test >> root# crontab -u www.promspecbud.com -l > > So your doing it as root. Root can do that. As it has access to everything. This may be obvious but I think you can not: the first cron command requests add a crontab to user 'www.promspecbud.com.other' but the table ends in user 'www.promspecbud.com'. Is it advertising in user names? -- rollingbits -- rollingbits@yahoo.com, lucasnm@ig.com.br, rollingbits@gmail.com, rollingbits@terra.com.br, rollingbits@globo.com