[392] in linux-security and linux-alert archive
Re: cron 3.0pl1-20: URGENT SECURITY FIX (fwd)
daemon@ATHENA.MIT.EDU (Zygo Blaxell)
Mon Sep 25 12:28:17 1995
From: Zygo Blaxell <zblaxell@miranda.uwaterloo.ca>
To: shields@tembel.org (Michael Shields)
Date: Sun, 24 Sep 1995 21:58:08 -0400 (EDT)
Cc: aleph1@dfw.net, linux-security@tarsier.cv.nrao.edu, paul@vix.com,
iwj10@cus.cam.ac.uk
In-Reply-To: <m0svomN-000DcvC@yage.tembel.org> from "Michael Shields" at Sep 21, 95 04:47:18 pm
Quoted from Michael Shields:
> -----BEGIN PGP SIGNED MESSAGE-----
>
> It's also a functionality bug because it prevents you from running jobs
> that need sroup permissions you normally have. I fixed it a year ago and
> think I reported it then, but didn't think of it as a security hole.
> > Date: Thu, 21 Sep 95 01:58 BST
> > From: Ian Jackson <iwj10@cus.cam.ac.uk>
> > To: Debian package announcements <debian-changes@pixar.com>
> > Subject: cron 3.0pl1-20: URGENT SECURITY FIX
> >
> > There is a major security hole in cron 3.0pl1-19 and earlier, allowing
> > any user to gain access to the `root' group. On many (most?) systems
> > this will quickly allow them to gain superuser access.
Actually, this gives you access to all of the groups that root belongs
to, if I remember the bug correctly (hmmm...sure 'nough, in my build
logs for cron, a patch for it is listed as a 'portability' bug, not a
'security' bug. Oops).
A cute workaround: remove root from all groups in /etc/group. This
should break absolutely nothing. (think about it: why does 'root' need
access to a group anyway?). Also configure your system so that group
'root' doesn't buy you anything (something that people who have to use NFS
should be familiar with anyway; the same problem (and worse) affects NFS).
Many other programs (most notably any perl script) don't handle
initgroups properly. The workaround above fixes these other programs
as well.
--
Zygo Blaxell, former sysadmin and software/hardware guru for the University of
Waterloo Computer Science Club; current sysadmin for miranda.uwaterloo.ca and
Myrus Design, Inc. 10th place team, ACM Programming Contest International
Finals 1994. Will administer Unix (esp. Linux) for warm clothing or anime.
"I was finding holes in Netscape long ago; serious bugs any wannabe could
exploit. But now that _everyone_ is doing it, it's just not _cool_ any more."
