oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Vixie/ISC Cron group crontab to root escalation

From: christos () zoulas com (Christos Zoulas)
Date: Fri, 9 Jun 2017 11:47:55 -0400
On Jun 8,  8:05pm, solar () openwall com (Solar Designer) wrote:
-- Subject: [oss-security] Vixie/ISC Cron group crontab to root escalation

In this patch:
http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/vixie-cron/vixie-cron-4.1.20040916-owl-crond.diff

Why do:

+       if (lstat(tabname, &lstatbuf) < OK) {
+               log_it(fname, getpid(), "CAN'T LSTAT", tabname);
+               goto next_crontab;
+       }
+       if (!S_ISREG(lstatbuf.st_mode)) {
+               log_it(fname, getpid(), "NOT REGULAR", tabname);
+               goto next_crontab;
+       }
+       if ((!pw && (lstatbuf.st_mode & 07533) != 0400) ||
+           (pw && (lstatbuf.st_mode & 07577) != 0400)) {
+               log_it(fname, getpid(), "BAD FILE MODE", tabname);
+               goto next_crontab;
+       }
+       if (lstatbuf.st_nlink != 1) {
+               log_it(fname, getpid(), "BAD LINK COUNT", tabname);
+               goto next_crontab;
+       }
+
        if ((crontab_fd = open(tabname, O_RDONLY|O_NONBLOCK|O_NOFOLLOW, 0)) < OK) {
                /* crontab not accessible?
                 */

Instead of doing the open first and then fstat(2) to prevent TOCTOU?

christos
Previous By Date Next
Previous By Thread Next

Current thread: