Date: Sat, 23 Sep 1995 04:16:04 -0500 (CDT) From: Mike Pritchard <mpp@mpp.minn.net> To: mighty.hoffmann@psi.wsl.sinica.edu.tw (Yen-Wei Liu) Cc: security@freebsd.org Subject: Re: cron 3.0pl1-20: URGENT SECURITY FIX (fwd) from Linux-security Message-ID: <199509230916.EAA26891@mpp.minn.net> In-Reply-To: <199509231008.KAA19544@psi.wsl.sinica.edu.tw> from "Yen-Wei Liu" at Sep 23, 95 10:08:04 am
next in thread | previous in thread | raw e-mail | index | archive | help
Yen-Wei Liu wrote:
>
> Hi,
>
> The following message comes from linux-security mailing list.
> ...
>
> > There is a major security hole in cron 3.0pl1-19 and earlier, allowing
> > any user to gain access to the `root' group. On many (most?) systems
> > this will quickly allow them to gain superuser access.
> >
> > ...
> > cron (3.0pl1-20); priority=URGENT
> >
> > * cron now uses initgroups when running jobs. Bug#1400. AARGH!
> >
> > -- Ian Jackson <iwj10@cus.cam.ac.uk> Thu, 21 Sep 1995 01:44:11 +0100
I've attached the the relevant code segment from .../cron/do_command.c
below. FreeBSD doesn't suffer from the problem because "BSD" is defined
at this point via a #include of sys/param.h, and initgroups does get called.
Just in case anyone is wondering, LOGNAME is not settable by the user, so
there isn't a way to fake initgroups into giving the user the wrong group
list by setting LOGNAME to some other user.
...
/* set our directory, uid and gid. Set gid first, since once
* we set uid, we've lost root privledges.
*/
chdir(env_get("HOME", e->envp));
# if defined(BSD)
initgroups(env_get("LOGNAME", e->envp), e->gid);
# endif
setgid(e->gid);
setuid(e->uid); /* we aren't root after this... */
/* exec the command.
*/
...
--
Mike Pritchard
mpp@mpp.minn.net
"Go that way. Really fast. If something gets in your way, turn"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199509230916.EAA26891>