[38266] in bugtraq
Re: crontab from vixie-cron allows read other users crontabs
daemon@ATHENA.MIT.EDU (David Malone)
Thu Apr 7 13:03:30 2005
Date: Wed, 6 Apr 2005 22:31:56 +0100
From: David Malone <dwmalone@maths.tcd.ie>
To: Karol Wi?sek <appelast@drumnbass.art.pl>
Cc: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com
Message-ID: <20050406213156.GA28054@walton.maths.tcd.ie>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <4253B350.8000903@drumnbass.art.pl>
On Wed, Apr 06, 2005 at 12:00:48PM +0200, Karol Wi?sek wrote:
> Details:
>
> Insufficient checks allows user to change during edition regular file to
> symbolic link to any file. While copying crontab uses root permisions,
> but also checks entrys, so attacker is only able to read properly
> formated crontab files (another users crontabs).
Is this not the same bug as:
http://cert.uni-stuttgart.de/archive/bugtraq/2000/10/msg00326.html
which was fixed in a number of OSs at the time? For example on
FreeBSD you get an error that crontabs should be edited in place.
David.
22:23:kac 18% setenv EDITOR /tmp/c
22:23:kac 19% crontab -e
/tmp/crontab.nW9oUGhN18
$ unlink /tmp/crontab.nW9oUGhN18
$ ln -s /var/cron/tabs/root
$ set -E
$ ln -s /var/cron/tabs/root /tmp/crontab.nW9oUGhN18
$ exit
crontab: temp file must be edited in place
22:24:kac 20% uname
FreeBSD
