[3868] in bugtraq
Another buggy root cron job
daemon@ATHENA.MIT.EDU (Steve Reid)
Wed Dec 25 03:38:36 1996
Date: Wed, 25 Dec 1996 00:16:47 -0800
Reply-To: Steve Reid <steve@edmweb.com>
From: Steve Reid <steve@edmweb.com>
X-To: security@freebsd.org, security-officer@freebsd.org
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
-----BEGIN PGP SIGNED MESSAGE-----
Another cron job temp file bug that affects FreeBSD and possibly others.
/usr/libexec/locate.updatedb is called from /etc/weekly. It has _exactly_
the same problem as /etc/security with it's opening temp files. By
default, it uses /var/tmp instead of /tmp, but they're both mode 1777 so
it doesn't make any difference. I was able to overwrite my own
/etc/master.passwd by just creating a symlink (as a normal user) and
running locate.updatedb (as root). I don't know if the content of the
files can be manipulated enough to gain root, but users being able to
munge any file on the system is not a Good Thing.
This was on a FreeBSD 2.1.0-RELEASE system. The locate.updatedb is
identical on my 2.1-stable (which is now 2.1.6.1-RELEASE) machine.
The easiest fix for this is the same as the easiest fix for /etc/security:
use a root-only directory such as /var/run instead of something world
writable. There's a handy line for this in the script:
if (! $?TMPDIR) setenv TMPDIR /var/tmp
Change it to
if (! $?TMPDIR) setenv TMPDIR /var/run
^^^
or just
setenv TMPDIR /var/run
Merry Christmas.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
iQEVAwUBMsDgzNtVWdufMXJpAQGEhggAn5UsdxLMi0+vTvS2PY/2WpV6l7aBIRh0
pVYIu7lEijxxggyVFSkhQIiVs+qJENxzATjDjehu4Y9vRE/Lt2TFMOwYghXUo5/B
PVTFlvhQUPBI3TNO7h4v5eLhiLhQdmxXfxpE2jEdouQ7OBD7F6Yeiz+FSSd+0dNo
bt2TsHqWohpgyKc2DZRqa9gElzQSemn/frQcTnpRKGe0y2fZQI3UcC4f9qM//0GR
EL/bKzZEDNvrHByDBFWgs7XTctjD1wQvlkOt3H0xWwqzzQKm18XNVJMBSZuBfkDa
Fp5+5QtnXh+NbwI1qhvwYYC+D0P3jTIvdXxfz6GTF1eI4SjN6H345A==
=WyHw
-----END PGP SIGNATURE-----
