Date: Thu, 1 Sep 2016 18:56:04 +0200 (CEST) From: Damian Weber <dweber@htwsaar.de> To: freebsd-security@freebsd.org Subject: Re: edit others user crontab, security bug Message-ID: <alpine.BSF.2.20.1609011847040.21761@isl-dw.htwsaar.de> In-Reply-To: <1472737438.3589865.712736753.5CFBB0DC@webmail.messagingengine.com> References: <CA%2Bf9Cbu8q2KngxgAmZ8BrKYyYC5okDcMAs4nd=SJS6YpBMRJcQ@mail.gmail.com> <1472737438.3589865.712736753.5CFBB0DC@webmail.messagingengine.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 1 Sep 2016, Edho Arief wrote: > Date: Thu, 1 Sep 2016 15:43:58 > From: Edho Arief <me@myconan.net> > To: freebsd-security@freebsd.org > Subject: Re: edit others user crontab, security bug > > Hi, > > On Thu, Sep 1, 2016, at 21:47, Andrii Kuzik wrote: > > Probably a lot of freebsd servers affected > > > > Security bug allows to edit other users crontab > > > > root# pw useradd -n www.promspecbud.com -g nobody -s /bin/sh -d /tmp > > root# pw useradd -n www.promspecbud.com.other -g nobody -s /bin/sh -d > > /tmp > > root# echo @daily doit baby > /tmp/test > > root# crontab -u www.promspecbud.com.other /tmp/test > > root# crontab -u www.promspecbud.com -l > > > > =====output ===== > > @daily doit baby > > ================= > > > > root#echo @daily doit baby one more time>> /tmp/test > > root#sudo -u www.promspecbud.com.other crontab /tmp/test > > root#sudo -u www.promspecbud.com crontab -l > > =====output ===== > > @daily doit baby > > @daily doit baby one more time > > ================= > > > > > to be more specific, the bug is crontab truncates usernames to 19 > characters as defined in cron.h: > > #define MAX_UNAME 20 /* max length of username, should be > overkill */ > > > # pw useradd users12345names67890 > # crontab -u users12345names67890 -l > crontab: no crontab for users12345names6789 > ^-- cut off apart from the crontab user length there seem to be quite a lot of possible values to choose from (MAXLOGNAME being the FreeBSD standard, right?) $ cd /usr/include $ egrep "^#define.*(USER|LOG)" */*h *.h| grep MAX |grep NAME bsm/libbsm.h:#define AU_USER_NAME_MAX 50 netsmb/smb.h:#define SMB_MAXUSERNAMELEN 128 sys/param.h:#define MAXLOGNAME 33 /* max login name length (incl. NUL) */ sys/sysctl.h:#define USER_TZNAME_MAX 20 /* int: POSIX2_TZNAME_MA X */ limits.h:#define _POSIX_LOGIN_NAME_MAX 9 stdio.h:#define L_cuserid 17 /* size for cuserid(3); MAXLOGNAME, lega cy */ unistd.h:#define _SC_LOGIN_NAME_MAX 73 -- Damian Weber
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.20.1609011847040.21761>