Re: setgid crontab

To: debian-devel@lists.debian.org
Subject: Re: setgid crontab
From: Matt Zimmerman <mdz@debian.org>
Date: Mon, 4 Aug 2003 23:23:16 -0400
Message-id: <[🔎] 20030805032316.GL24128@alcor.net>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 200308050255.h752tYkp016467@renig.nat.blars.org>
References: <[🔎] 20030802195103.GA23026@molehole.dyndns.org> <[🔎] 20030802195103.GA23026@molehole.dyndns.org> <[🔎] 200308050255.h752tYkp016467@renig.nat.blars.org>

On Mon, Aug 04, 2003 at 07:55:34PM -0700, Blars Blarson wrote:

> In article <[🔎] 20030803011923.GP24128@alcor.net> mdz@debian.org writes:
> >On Sat, Aug 02, 2003 at 02:51:03PM -0500, Steve Greenland wrote:
> >Under this setup, when cron opens a crontab file, it should fstat() it and
> >check that it is owned by the uid under which its contents will be executed
> >before trusting it.
> 
> It should not trust symbolic links either.  Otherwise it instanly promotes
> everything that looks like a crontab into one.

The attack scenarios for this one are pretty unlikely, but a little paranoia
can't hurt here.  I agree:

http://lists.debian.org/debian-devel/2003/debian-devel-200308/msg00191.html

-- 
 - mdz

Reply to:

References:
- setgid crontab
  - From: Steve Greenland <steveg@moregruel.net>
- Re: setgid crontab
  - From: Blars Blarson <blarson@blars.org>

Prev by Date: Re: setgid crontab
Next by Date: Re: How to install X-Chat in five hours (or more)
Previous by thread: Re: setgid crontab
Next by thread: Re: setgid crontab
Index(es):
- Date
- Thread