Hi,
On Thu, Sep 1, 2016, at 21:47, Andrii Kuzik wrote:
> Probably a lot of freebsd servers affected
>
> Security bug allows to edit other users crontab
>
> root# pw useradd -n www.promspecbud.com -g nobody -s /bin/sh -d /tmp
> root# pw useradd -n www.promspecbud.com.other -g nobody -s /bin/sh -d
> /tmp
> root# echo @daily doit baby > /tmp/test
> root# crontab -u www.promspecbud.com.other /tmp/test
> root# crontab -u www.promspecbud.com -l
>
> =====output =====
> @daily doit baby
> =================
>
> root#echo @daily doit baby one more time>> /tmp/test
> root#sudo -u www.promspecbud.com.other crontab /tmp/test
> root#sudo -u www.promspecbud.com crontab -l
> =====output =====
> @daily doit baby
> @daily doit baby one more time
> =================
>
to be more specific, the bug is crontab truncates usernames to 19
characters as defined in cron.h:
#define MAX_UNAME 20 /* max length of username, should be
overkill */
# pw useradd users12345names67890
# crontab -u users12345names67890 -l
crontab: no crontab for users12345names6789
^-- cut off
_______________________________________________
freebsd-security@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
