Bugtraq mailing list archives
Re: vixie cron possible local root compromise
From: Alan DeKok <aland () GILES STRIKER OTTAWA ON CA>
Date: Tue, 13 Feb 2001 15:54:00 -0500
gabriel rosenkoetter <gr () ECLIPSED NET> wrote:
On Sun, Feb 11, 2001 at 12:38:02AM +0100, Flatline wrote:When crontab has determined the name of the user calling crontab (using getpwuid()), the login name is stored in a 20 byte buffer using the strcpy() function (which does no bounds checking).
This is obviously a problem.
'useradd' (the utility used to add users to the system) however allows usernames of over 20 characters (32 at most on my distribution). Therefore, running crontab as a user whose login name exceeds 20 characters crashes it.Then your useradd is broken and doing improper bounds checking.
Nonsense. Some OS's *may* allow usernames longer than 8 characters. Applications which are broken on such systems are broken applications. There's a serious difference between an app saying "I can't handle that username", and the app crashing and burning. Well behaved applications are the cornerstone of security. Ill-behaved applications are (almost by definition) insecure.
I'm not sure why Vixie chose 20 characters, but it should be enough, since usernames longer than 8 characters should not be expected to behave properly. (They system won't know they're unique.) This is a POSIX thing, last I heard.
So? Does this mean that it's OK to write applications that have buffer over-runs and security holes when run on systems other than yours? I find this attitude amazing. You don't understand why other people would want to have usernames longer than 8 characters, so you're willing to blame *their* systems for security problems when insecure applications are executed on those systems. Alan DeKok.
Current thread:
- Re: vixie cron possible local root compromise, (continued)
- Re: vixie cron possible local root compromise Flavio Veloso (Feb 16)
- Re: vixie cron possible local root compromise Mate Wierdl (Feb 15)
- Re: vixie cron possible local root compromise Peter van Dijk (Feb 12)
- Re: vixie cron possible local root compromise Valentin Nechayev (Feb 12)
- Re: vixie cron possible local root compromise gabriel rosenkoetter (Feb 13)
- Re: vixie cron possible local root compromise Rodrigo Barbosa (aka morcego) (Feb 13)
- (CORRECTION) Re: vixie cron possible local root compromise Rodrigo Barbosa (aka morcego) (Feb 14)
- Re: vixie cron possible local root compromise Valdis Kletnieks (Feb 14)
- Re: vixie cron possible local root compromise Juergen P. Meier (Feb 15)
- Re: vixie cron possible local root compromise Nelson Brito (Feb 15)
- Re: vixie cron possible local root compromise Rodrigo Barbosa (aka morcego) (Feb 13)
- Re: vixie cron possible local root compromise Alan DeKok (Feb 13)
- Re: vixie cron possible local root compromise gabriel rosenkoetter (Feb 13)
- Re: vixie cron possible local root compromise Robert Bihlmeyer (Feb 15)
- Re: vixie cron possible local root compromise Alfred Perlstein (Feb 13)