Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 9 Jun 2017 11:47:55 -0400
From: christos@...las.com (Christos Zoulas)
To: oss-security@...ts.openwall.com
Subject: Re: Vixie/ISC Cron group crontab to root escalation

On Jun 8,  8:05pm, solar@...nwall.com (Solar Designer) wrote:
-- Subject: [oss-security] Vixie/ISC Cron group crontab to root escalation

In this patch:
http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/vixie-cron/vixie-cron-4.1.20040916-owl-crond.diff

Why do:

+	if (lstat(tabname, &lstatbuf) < OK) {
+		log_it(fname, getpid(), "CAN'T LSTAT", tabname);
+		goto next_crontab;
+	}
+	if (!S_ISREG(lstatbuf.st_mode)) {
+		log_it(fname, getpid(), "NOT REGULAR", tabname);
+		goto next_crontab;
+	}
+	if ((!pw && (lstatbuf.st_mode & 07533) != 0400) ||
+	    (pw && (lstatbuf.st_mode & 07577) != 0400)) {
+		log_it(fname, getpid(), "BAD FILE MODE", tabname);
+		goto next_crontab;
+	}
+	if (lstatbuf.st_nlink != 1) {
+		log_it(fname, getpid(), "BAD LINK COUNT", tabname);
+		goto next_crontab;
+	}
+
 	if ((crontab_fd = open(tabname, O_RDONLY|O_NONBLOCK|O_NOFOLLOW, 0)) < OK) {
 		/* crontab not accessible?
 		 */

Instead of doing the open first and then fstat(2) to prevent TOCTOU?

christos

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ