[381] in linux-security and linux-alert archive
Re: cron 3.0pl1-20: URGENT SECURITY FIX (fwd)
daemon@ATHENA.MIT.EDU (Michael Shields)
Sat Sep 23 19:37:34 1995
From: shields@tembel.org (Michael Shields)
To: aleph1@dfw.net (Aleph One)
Date: Thu, 21 Sep 1995 16:47:18 +0000 (GMT)
Cc: linux-security@tarsier.cv.nrao.edu, paul@vix.com, iwj10@cus.cam.ac.uk
In-Reply-To: <Pine.SUN.3.90.950920204255.15987A-100000@dfw.net> from "Aleph One" at 1995-09-20 20:43:25
-----BEGIN PGP SIGNED MESSAGE-----
It's also a functionality bug because it prevents you from running jobs
that need sroup permissions you normally have. I fixed it a year ago and
think I reported it then, but didn't think of it as a security hole.
Here is a patch:
Index: c.s.u/vixie-cron/do_command.c
--- c.s.u/vixie-cron/do_command.c:1.1.1.2 Mon Jun 13 21:41:44 1994
+++ c.s.u/vixie-cron/do_command.c Thu Sep 29 01:24:51 1994
@@ -207,7 +207,7 @@
* we set uid, we've lost root privledges.
*/
setgid(e->gid);
-# if defined(BSD)
+# if defined(BSD) || defined(linux)
initgroups(env_get("LOGNAME", e->envp), e->gid);
# endif
setuid(e->uid); /* we aren't root after this... */
> Anyone know anything more?
>
> Aleph One / aleph1@dfw.net
> http://underground.org/
> KeyID 1024/948FD6B5
> Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
>
> ---------- Forwarded message ----------
> Date: Thu, 21 Sep 95 01:58 BST
> From: Ian Jackson <iwj10@cus.cam.ac.uk>
> To: Debian package announcements <debian-changes@pixar.com>
> Subject: cron 3.0pl1-20: URGENT SECURITY FIX
>
> There is a major security hole in cron 3.0pl1-19 and earlier, allowing
> any user to gain access to the `root' group. On many (most?) systems
> this will quickly allow them to gain superuser access.
>
[...]
>
> cron (3.0pl1-20); priority=URGENT
>
> * cron now uses initgroups when running jobs. Bug#1400. AARGH!
- --
Shields.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBMGGWseyjYMb1RsVfAQHwJAP/doSODO49ZrtdhRW300b8VEWUFS93qXHH
WDi3LbL7AcCV3+Usos53HDutXTDEspBXnjFbtqtzKNKHLKn/qC4TPeE72B1EVnYb
0WBSf9ulUdjlR6P3alhKWR7D1IC24wxTRbz5A0jeUNIUR531IA7t/Uk9Otw8ElSH
JwTcJUp6VVg=
=lMnn
-----END PGP SIGNATURE-----
