On Sat, Aug 02, 2003 at 09:19:23PM -0400, Matt Zimmerman wrote: > On Sat, Aug 02, 2003 at 02:51:03PM -0500, Steve Greenland wrote: > > > Apropos of the recent setuid/setgid thread, and also being prodded by > > Stephen Frost, I've changed crontab to be setgid 'cron' rather than > > setuid 'root'. Beyond the coding (which is mostly removing setuid() > > calls), this involves the following changes: > > > > add system group 'cron' > > > > change /var/spool/cron/crontabs from 755 root.root to 775 root.cron > > > > change crontab files in the spool directory from 600 root.root to 600 > > userid.cron > > > > At first glance, the only access I've added with this is that a user can > > now view or edit (but not delete) her crontab file directly in the spool > > directory. Since one could all that with the crontab command anyway, it > > doesn't seem a big deal. > > > > Comments, suggestions? > > If you were here, I would hug you, and if we ever do meet in person, I owe > you a beer. > > I think a few more changes are necessary, though. With the crontabs > directory mode 775, a user who gains access to the 'cron' group could create > a crontab file for root and thereby gain root privileges easily. > > Under this setup, when cron opens a crontab file, it should fstat() it and > check that it is owned by the uid under which its contents will be executed > before trusting it.
It is also important to stat beforehand, to prevent stupid symlink tricks, if we're going to be paranoid about writes to the directory. Then you compare dev/inode with the fstat. -- Daniel Jacobowitz MontaVista Software Debian GNU/Linux Developer
