[1903] in bugtraq
Re: linux atrun
daemon@ATHENA.MIT.EDU (bt)
Tue May 23 15:49:39 1995
Date: Tue, 23 May 1995 10:55:56 -0700 (PDT)
From: bt <bt@cyberflunk.semaphore.com>
To: Claudio Telmon <claudio@fire.di.unipi.it>
Cc: bugtraq@crimelab.com
In-Reply-To: <199505220903.LAA10036@fire.di.unipi.it>
On Mon, 22 May 1995, Claudio Telmon wrote:
> 2) There is a (known?) way to run an arbitrary script files as suid/sgid
> without the neeed to set the permissions bits.
> All you need is write permissions in the /var/spool/atjobs directory.
> This because atrun uses the user/group of the files in the directory to
> suid/sgid before execution. If you can add a link in the directory to your
> target file, atrun will execute it as suid/sgid.
I saw something about this the otherday.. this is from the guy that
wrote it i think.. most major linux distributions have version 2.7
--->
Earlier versions of my at/atrun package for Linux had a bug which
allowed root access for any authorized user of the system.
This bug can only be exploited if the user can edit a job he's
submitted to the atrun queue.
If 'at -V' shows a version earlier than 2.7, or if the directory
/var/spool/atjobs (or, possibly, /usr/spool/atjobs) is world -
executable, you are vulnerable.
In that case, upgrade your system to at 2.7 or 2.7a immediately.
In the meantime, changing the permissions of /var/spool/atjobs to 700
will prevent unauthorized root access; this may also render the
'at' system unusable.
