From owner-freebsd-security@freebsd.org Thu Sep 1 12:47:29 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 55323BCB33F for ; Thu, 1 Sep 2016 12:47:29 +0000 (UTC) (envelope-from akuzik@gmail.com) Received: from mail-wm0-x232.google.com (mail-wm0-x232.google.com [IPv6:2a00:1450:400c:c09::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E3DEBD92 for ; Thu, 1 Sep 2016 12:47:28 +0000 (UTC) (envelope-from akuzik@gmail.com) Received: by mail-wm0-x232.google.com with SMTP id w207so4056215wmw.1 for ; Thu, 01 Sep 2016 05:47:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to; bh=4kQOcrCJmEezxdrdZbnM1RwzClBGgJrvFN0LZwd6rJQ=; b=xkX3cE7FY3ChomzoSOWtOa/8NkJio3JNqmefRF5h80PUntGAvl6tiN2h0t+YXEbcyM XBFdIdXm7KopjTXCeD8+tPR9K6Oug+K4NQkH+uHy+y3NGe+dmTVxbF7Tc60ndtaFCCGn CRlBPxG74+SuMka/pZVzKfO/m/TSZq3F68oQ8Az6aTXik6GVI6JVSjC1uLHSrBTy4TmI 1MX2dWa5AkACuJlxrOQTIQtVYuPWpQKOA2hI518IQSfOIEZYlJ5GsXW8eWHYnp70lEn3 Q0JZzHKYHU4PD7kvDp+DBEuVsRGVw/BIwVTG2ftka6+FXZ14gh5im9Y3XOgQCuWJML+2 BhgA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=4kQOcrCJmEezxdrdZbnM1RwzClBGgJrvFN0LZwd6rJQ=; b=IfRKrlcKfTTzRtjF9Fi3Aw7LDRKOZpgOXciWeSrANxtlpWM7MH0FV68DjIjmm2Z9bx 24qNZS8vv5BGRkdCEV+vT0cFvGvw3zg5mxc+bhOLlt4y86Rc/VEoZSuS9m+SQ7mCYp/C wLlbzdIOQQ4zvlp5p+6hn51/oGd1ISeNjOzNjhy1CHr1XmNVTc5sbdjrr6cNIJWtnTPu /ZxIjOUYxoGVQ9UK32/+uvry4KF8bMzDrzqDN8zEBKI7zpDqpTspHfP1TuaDrGfkkk0j SN4MDAdXFNAnVWCzwjb/hNJRUdzjTNMHhnlk2/upgoYKFjK43/5Qv5G9Z5eODLlPiFsu 6aVQ== X-Gm-Message-State: AE9vXwO0+pxI+rt28CIPaUeyweuYV34jZjqAD1EB/XlmlVCt+MW1twSFanjWOtwU8ffh/wSuiUWDvGoYRi/e6Q== X-Received: by 10.194.40.166 with SMTP id y6mr13607815wjk.171.1472734047032; Thu, 01 Sep 2016 05:47:27 -0700 (PDT) MIME-Version: 1.0 Received: by 10.28.139.65 with HTTP; Thu, 1 Sep 2016 05:47:26 -0700 (PDT) From: Andrii Kuzik Date: Thu, 1 Sep 2016 14:47:26 +0200 Message-ID: Subject: edit others user crontab, security bug To: freebsd-security@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Mailman-Approved-At: Thu, 01 Sep 2016 13:14:57 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Sep 2016 12:47:29 -0000 Probably a lot of freebsd servers affected Security bug allows to edit other users crontab root# pw useradd -n www.promspecbud.com -g nobody -s /bin/sh -d /tmp root# pw useradd -n www.promspecbud.com.other -g nobody -s /bin/sh -d /tmp root# echo @daily doit baby > /tmp/test root# crontab -u www.promspecbud.com.other /tmp/test root# crontab -u www.promspecbud.com -l =====output ===== @daily doit baby ================= root#echo @daily doit baby one more time>> /tmp/test root#sudo -u www.promspecbud.com.other crontab /tmp/test root#sudo -u www.promspecbud.com crontab -l =====output ===== @daily doit baby @daily doit baby one more time ================= root# uname -a FreeBSD kuzik 10.3-RELEASE FreeBSD 10.3-RELEASE #0 r297264: Fri Mar 25 02:10:02 UTC 2016 root@releng1.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64 best regards, Andrii Kuzik