Re: vixiecron.

[irvdwijk () cs vu nl (irvdwijk () cs vu nl)]

Cor wrote
> One of the bugs I found and reported to Vixie about a year ago regarding
> his vixiecron, was that you could do the following:
>
> MAILTO="whatever; /bin/cp /bin/sh /tmp; chmod 4777 /tmp/sh"
>
> He fixed this, and with it introduced a new bug we also reported.
> I can't really remember the details, but it had something to do with
> a temporary file he was using, that you could predict, and thus link
> to /etc/master.passwd or something.
I heard that there were three mayor security holes in previous versions of
VixieCron. Two of them I know, the one you cor described (with MAILTO)
and the one using the '-r' switch:

        crontab -r /etc/master.passwd
        crontab -l

Anyone knows the third? Is it, like Cor said, with a tempfile?
> Cor

        Ivo

PS: To fix these bugs (or at least, to disable them):
    You can disable the MAILTO bug by denying access 
    (/var/spool/cron/{allow,deny} I think). 
    To disable the bug in crontab (-r), you will probably have to
    remove the setuid bit. As far as I know, upgrading to the latest
    version (3.*) should also be safe (though I never checked this version
    for bugs)

-- 
------------------------------------------------------------------------
Name:     Ivo van der Wijk  | It won't give up it wants me dead
Internet: irvdwijk () cs vu nl | this goddamn noise inside my head
IRC:      VladDrac          |                                |\|||/| 
URL:      http://www.hut.nl/users/ivo
------------------------------------------------------------------------