Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: vixie cron possible local root compromise

From: Valentin Nechayev <netch () IV NN KIEV UA>
Date: Tue, 13 Feb 2001 00:04:34 +0200
 Sun, Feb 11, 2001 at 00:38:02, achter05 (Flatline) wrote about "vixie cron possible local root compromise":


146c146
<       strcpy(User, pw->pw_name);
---
 >       strncpy(User, pw->pw_name, MAX_UNAME - 1);

Or simply remove the setuid bit on /usr/bin/crontab until a vendor patch
has been released,
just to be on the safe side.


I think your fix is too dirty because it can lead crontab to ruin data of
another user which name is shortened name of caller. It is better for tool to
segfault instead of using incorrectly shortened name. Best with fixed buffer is
to test username size before copying:

        if( strlen(pw->pw_name) >= sizeof User ) {
                fprintf( stderr, "crontab: fatal: username too long\n" );
                exit( 1 );
        }

But, in FreeBSD (I use 5.0-CURRENT) this code already contains strncpy
similar to your:

=== cut src/usr.sbin/cron/crontab/crontab.c ===
        if (!(pw = getpwuid(getuid())))
                errx(ERROR_EXIT, "your UID isn't in the passwd file, bailing out");
        (void) strncpy(User, pw->pw_name, (sizeof User)-1);
        User[(sizeof User)-1] = '\0';
        strcpy(RealUser, User);
=== end cut ===

and I think it should be also corrected to reject too long usernames.


/netch
Previous By Date Next
Previous By Thread Next

Current thread: