From owner-freebsd-security Wed Dec 25 00:17:10 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id AAA01663 for security-outgoing; Wed, 25 Dec 1996 00:17:10 -0800 (PST) Received: from bitbucket.edmweb.com (bitbucket.edmweb.com [204.244.190.9]) by freefall.freebsd.org (8.8.4/8.8.4) with SMTP id AAA01654; Wed, 25 Dec 1996 00:17:01 -0800 (PST) Received: from localhost (steve@localhost) by bitbucket.edmweb.com (8.6.12/8.6.12) with SMTP id AAA02719; Wed, 25 Dec 1996 00:16:50 -0800 X-Authentication-Warning: bitbucket.edmweb.com: steve owned process doing -bs Date: Wed, 25 Dec 1996 00:16:47 -0800 (PST) From: Steve Reid To: bugtraq@netspace.org, security@freebsd.org, security-officer@freebsd.org Subject: Another buggy root cron job Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- Another cron job temp file bug that affects FreeBSD and possibly others. /usr/libexec/locate.updatedb is called from /etc/weekly. It has _exactly_ the same problem as /etc/security with it's opening temp files. By default, it uses /var/tmp instead of /tmp, but they're both mode 1777 so it doesn't make any difference. I was able to overwrite my own /etc/master.passwd by just creating a symlink (as a normal user) and running locate.updatedb (as root). I don't know if the content of the files can be manipulated enough to gain root, but users being able to munge any file on the system is not a Good Thing. This was on a FreeBSD 2.1.0-RELEASE system. The locate.updatedb is identical on my 2.1-stable (which is now 2.1.6.1-RELEASE) machine. The easiest fix for this is the same as the easiest fix for /etc/security: use a root-only directory such as /var/run instead of something world writable. There's a handy line for this in the script: if (! $?TMPDIR) setenv TMPDIR /var/tmp Change it to if (! $?TMPDIR) setenv TMPDIR /var/run ^^^ or just setenv TMPDIR /var/run Merry Christmas. -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQEVAwUBMsDgzNtVWdufMXJpAQGEhggAn5UsdxLMi0+vTvS2PY/2WpV6l7aBIRh0 pVYIu7lEijxxggyVFSkhQIiVs+qJENxzATjDjehu4Y9vRE/Lt2TFMOwYghXUo5/B PVTFlvhQUPBI3TNO7h4v5eLhiLhQdmxXfxpE2jEdouQ7OBD7F6Yeiz+FSSd+0dNo bt2TsHqWohpgyKc2DZRqa9gElzQSemn/frQcTnpRKGe0y2fZQI3UcC4f9qM//0GR EL/bKzZEDNvrHByDBFWgs7XTctjD1wQvlkOt3H0xWwqzzQKm18XNVJMBSZuBfkDa Fp5+5QtnXh+NbwI1qhvwYYC+D0P3jTIvdXxfz6GTF1eI4SjN6H345A== =WyHw -----END PGP SIGNATURE-----