Re: setgid crontab
On Sat, Aug 02, 2003 at 09:19:23PM -0400, Matt Zimmerman wrote:
> On Sat, Aug 02, 2003 at 02:51:03PM -0500, Steve Greenland wrote:
> > Apropos of the recent setuid/setgid thread, and also being prodded by
> > Stephen Frost, I've changed crontab to be setgid 'cron' rather than
> > setuid 'root'. Beyond the coding (which is mostly removing setuid()
> > calls), this involves the following changes:
> > add system group 'cron'
> > change /var/spool/cron/crontabs from 755 root.root to 775 root.cron
> > change crontab files in the spool directory from 600 root.root to 600
> > userid.cron
> > At first glance, the only access I've added with this is that a user can
> > now view or edit (but not delete) her crontab file directly in the spool
> > directory. Since one could all that with the crontab command anyway, it
> > doesn't seem a big deal.
> > Comments, suggestions?
> If you were here, I would hug you, and if we ever do meet in person, I owe
> you a beer.
> I think a few more changes are necessary, though. With the crontabs
> directory mode 775, a user who gains access to the 'cron' group could create
> a crontab file for root and thereby gain root privileges easily.
> Under this setup, when cron opens a crontab file, it should fstat() it and
> check that it is owned by the uid under which its contents will be executed
> before trusting it.
It is also important to stat beforehand, to prevent stupid symlink
tricks, if we're going to be paranoid about writes to the directory.
Then you compare dev/inode with the fstat.
MontaVista Software Debian GNU/Linux Developer