Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 9 Jun 2017 11:47:55 -0400
From: christos@...las.com (Christos Zoulas)
To: oss-security@...ts.openwall.com
Subject: Re: Vixie/ISC Cron group crontab to root escalation

On Jun 8,  8:05pm, solar@...nwall.com (Solar Designer) wrote:
-- Subject: [oss-security] Vixie/ISC Cron group crontab to root escalation

In this patch:
http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/vixie-cron/vixie-cron-4.1.20040916-owl-crond.diff

Why do:

+	if (lstat(tabname, &lstatbuf) < OK) {
+		log_it(fname, getpid(), "CAN'T LSTAT", tabname);
+		goto next_crontab;
+	}
+	if (!S_ISREG(lstatbuf.st_mode)) {
+		log_it(fname, getpid(), "NOT REGULAR", tabname);
+		goto next_crontab;
+	}
+	if ((!pw && (lstatbuf.st_mode & 07533) != 0400) ||
+	    (pw && (lstatbuf.st_mode & 07577) != 0400)) {
+		log_it(fname, getpid(), "BAD FILE MODE", tabname);
+		goto next_crontab;
+	}
+	if (lstatbuf.st_nlink != 1) {
+		log_it(fname, getpid(), "BAD LINK COUNT", tabname);
+		goto next_crontab;
+	}
+
 	if ((crontab_fd = open(tabname, O_RDONLY|O_NONBLOCK|O_NOFOLLOW, 0)) < OK) {
 		/* crontab not accessible?
 		 */

Instead of doing the open first and then fstat(2) to prevent TOCTOU?

christos

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.