From owner-freebsd-security Sat Sep 23 02:17:23 1995 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.6.12/8.6.6) id CAA19819 for security-outgoing; Sat, 23 Sep 1995 02:17:23 -0700 Received: from mpp.minn.net (mpp.Minn.Net [204.157.201.242]) by freefall.freebsd.org (8.6.12/8.6.6) with ESMTP id CAA19811 for ; Sat, 23 Sep 1995 02:17:16 -0700 Received: (from mpp@localhost) by mpp.minn.net (8.6.11/8.6.9) id EAA26891; Sat, 23 Sep 1995 04:16:04 -0500 From: Mike Pritchard Message-Id: <199509230916.EAA26891@mpp.minn.net> Subject: Re: cron 3.0pl1-20: URGENT SECURITY FIX (fwd) from Linux-security To: mighty.hoffmann@psi.wsl.sinica.edu.tw (Yen-Wei Liu) Date: Sat, 23 Sep 1995 04:16:04 -0500 (CDT) Cc: security@freebsd.org In-Reply-To: <199509231008.KAA19544@psi.wsl.sinica.edu.tw> from "Yen-Wei Liu" at Sep 23, 95 10:08:04 am X-Mailer: ELM [version 2.4 PL24 ME7a] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1380 Sender: owner-security@freebsd.org Precedence: bulk Yen-Wei Liu wrote: > > Hi, > > The following message comes from linux-security mailing list. > ... > > > There is a major security hole in cron 3.0pl1-19 and earlier, allowing > > any user to gain access to the `root' group. On many (most?) systems > > this will quickly allow them to gain superuser access. > > > > ... > > cron (3.0pl1-20); priority=URGENT > > > > * cron now uses initgroups when running jobs. Bug#1400. AARGH! > > > > -- Ian Jackson Thu, 21 Sep 1995 01:44:11 +0100 I've attached the the relevant code segment from .../cron/do_command.c below. FreeBSD doesn't suffer from the problem because "BSD" is defined at this point via a #include of sys/param.h, and initgroups does get called. Just in case anyone is wondering, LOGNAME is not settable by the user, so there isn't a way to fake initgroups into giving the user the wrong group list by setting LOGNAME to some other user. ... /* set our directory, uid and gid. Set gid first, since once * we set uid, we've lost root privledges. */ chdir(env_get("HOME", e->envp)); # if defined(BSD) initgroups(env_get("LOGNAME", e->envp), e->gid); # endif setgid(e->gid); setuid(e->uid); /* we aren't root after this... */ /* exec the command. */ ... -- Mike Pritchard mpp@mpp.minn.net "Go that way. Really fast. If something gets in your way, turn"