[19188] in bugtraq
Re: vixie cron possible local root compromise
daemon@ATHENA.MIT.EDU (gabriel rosenkoetter)
Tue Feb 13 17:31:38 2001
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-Id: <20010212131202.C29928@eclipsed.net>
Date: Mon, 12 Feb 2001 13:12:02 -0500
Reply-To: gabriel rosenkoetter <gr@ECLIPSED.NET>
From: gabriel rosenkoetter <gr@ECLIPSED.NET>
X-To: Flatline <achter05@IE.HVA.NL>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <5.0.2.1.2.20010211003607.00a627e8@pop3.lb.hva.nl>; from
achter05@IE.HVA.NL on Sun, Feb 11, 2001 at 12:38:02AM +0100
On Sun, Feb 11, 2001 at 12:38:02AM +0100, Flatline wrote:
> When crontab has determined the name of the user calling crontab (using
> getpwuid()),
> the login name is stored in a 20 byte buffer using the strcpy() function
> (which does no bounds checking). 'useradd' (the utility used to add users
> to the system)
> however allows usernames of over 20 characters (32 at most on my distribution).
>
> Therefore, running crontab as a user whose login name exceeds 20 characters
> crashes it.
Then your useradd is broken and doing improper bounds checking.
I'm not sure why Vixie chose 20 characters, but it should be enough,
since usernames longer than 8 characters should not be expected to
behave properly. (They system won't know they're unique.) This is a
POSIX thing, last I heard.
~ g r @ eclipsed.net
