Date: Thu, 1 Jun 2006 15:49:18 +0300 From: Kostik Belousov <kostikbel@gmail.com> To: freebsd-hackers@freebsd.org Subject: recent vixie cron vulnerability Message-ID: <20060601124918.GA51393@deviant.kiev.zoral.com.ua>
next in thread | raw e-mail | index | archive | help
--qMm9M+Fa2AknHoGS Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable There was recent discovery of the problem in the vixie cron job execution, see http://www.securityfocus.com/bid/18108/ and https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=3D178431 The hole exists because calls to the setuid(2) goes unchecked for errors. At first look, the issue seems to be irrelevant to the FreeBSD, because, in absence of mac(9), setuid(2) and similar calls can fail only for non-root user. But, if mac is present, then the setuid(2) could fail, and our version 3.0 cron will execute user job with zero uid as well. To trick the cron into the problem, some mac policy shall be present in the kernel that would fail setuid() call for some reasons. Do you consider this important enough to justify the patch ? Index: cron/do_command.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/local/arch/ncvs/src/usr.sbin/cron/cron/do_command.c,v retrieving revision 1.23 diff -u -r1.23 do_command.c --- cron/do_command.c 24 Aug 2005 17:51:36 -0000 1.23 +++ cron/do_command.c 1 Jun 2006 12:47:31 -0000 @@ -245,12 +245,29 @@ /* set our directory, uid and gid. Set gid first, * since once we set uid, we've lost root privledges. */ - setgid(e->gid); + if (setgid(e->gid) !=3D 0) { + log_it(usernm,getpid(),"error","setgid failed"); + exit(ERROR_EXIT); + /*NOTREACHED*/ + } # if defined(BSD) - initgroups(usernm, e->gid); + if (initgroups(usernm, e->gid) !=3D 0) { + log_it(usernm,getpid(),"error","initgroups failed"); + exit(ERROR_EXIT); + /*NOTREACHED*/ + } =09 # endif - setlogin(usernm); - setuid(e->uid); /* we aren't root after this..*/ + if (setlogin(usernm) !=3D 0) { + log_it(usernm,getpid(),"error","setlogin failed"); + exit(ERROR_EXIT); + /*NOTREACHED*/ + } + if (setuid(e->uid) !=3D 0) { + log_it(usernm,getpid(),"error","setuid failed"); + exit(ERROR_EXIT); + /*NOTREACHED*/ + } + /* we aren't root after this..*/ #if defined(LOGIN_CAP) } if (lc !=3D NULL) Index: cron/popen.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/local/arch/ncvs/src/usr.sbin/cron/cron/popen.c,v retrieving revision 1.12 diff -u -r1.12 popen.c --- cron/popen.c 6 Feb 2002 02:00:07 -0000 1.12 +++ cron/popen.c 1 Jun 2006 12:47:31 -0000 @@ -175,12 +175,21 @@ /* set our directory, uid and gid. Set gid first, * since once we set uid, we've lost root privledges. */ - setgid(e->gid); + if (setgid(e->gid) !=3D 0) + _exit(ERROR_EXIT); + /*NOTREACHED*/ # if defined(BSD) - initgroups(usernm, e->gid); + if (initgroups(usernm, e->gid) !=3D 0) + _exit(ERROR_EXIT); + /*NOTREACHED*/ # endif - setlogin(usernm); - setuid(e->uid); /* we aren't root after this..*/ + if (setlogin(usernm) !=3D 0) + _exit(ERROR_EXIT); + /*NOTREACHED*/ + if (setuid(e->uid) !=3D 0) + _exit(ERROR_EXIT); + /*NOTREACHED*/ + /* we aren't root after this..*/ #if defined(LOGIN_CAP) } if (lc !=3D NULL) --qMm9M+Fa2AknHoGS Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (FreeBSD) iD8DBQFEfuJNC3+MBN1Mb4gRAmfbAJ4u0dBSpOHnMQXSrXRq5NNpGjv6EwCgqBFy wfBYjvA0nLDNo3EqEh5Y7ZI= =w4KY -----END PGP SIGNATURE----- --qMm9M+Fa2AknHoGS--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060601124918.GA51393>