On Thu, 1 Sep 2016, Edho Arief wrote:
> Date: Thu, 1 Sep 2016 15:43:58 > From: Edho Arief <m...@myconan.net> > To: freebsd-security@freebsd.org > Subject: Re: edit others user crontab, security bug > > Hi, > > On Thu, Sep 1, 2016, at 21:47, Andrii Kuzik wrote: > > Probably a lot of freebsd servers affected > > > > Security bug allows to edit other users crontab > > > > root# pw useradd -n www.promspecbud.com -g nobody -s /bin/sh -d /tmp > > root# pw useradd -n www.promspecbud.com.other -g nobody -s /bin/sh -d > > /tmp > > root# echo @daily doit baby > /tmp/test > > root# crontab -u www.promspecbud.com.other /tmp/test > > root# crontab -u www.promspecbud.com -l > > > > =====output ===== > > @daily doit baby > > ================= > > > > root#echo @daily doit baby one more time>> /tmp/test > > root#sudo -u www.promspecbud.com.other crontab /tmp/test > > root#sudo -u www.promspecbud.com crontab -l > > =====output ===== > > @daily doit baby > > @daily doit baby one more time > > ================= > > > > > to be more specific, the bug is crontab truncates usernames to 19 > characters as defined in cron.h: > > #define MAX_UNAME 20 /* max length of username, should be > overkill */ > > > # pw useradd users12345names67890 > # crontab -u users12345names67890 -l > crontab: no crontab for users12345names6789 > ^-- cut off apart from the crontab user length there seem to be quite a lot of possible values to choose from (MAXLOGNAME being the FreeBSD standard, right?) $ cd /usr/include $ egrep "^#define.*(USER|LOG)" */*h *.h| grep MAX |grep NAME bsm/libbsm.h:#define AU_USER_NAME_MAX 50 netsmb/smb.h:#define SMB_MAXUSERNAMELEN 128 sys/param.h:#define MAXLOGNAME 33 /* max login name length (incl. NUL) */ sys/sysctl.h:#define USER_TZNAME_MAX 20 /* int: POSIX2_TZNAME_MA X */ limits.h:#define _POSIX_LOGIN_NAME_MAX 9 stdio.h:#define L_cuserid 17 /* size for cuserid(3); MAXLOGNAME, lega cy */ unistd.h:#define _SC_LOGIN_NAME_MAX 73 -- Damian Weber _______________________________________________ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"