Re: setgid crontab

To: debian-devel@lists.debian.org
Subject: Re: setgid crontab
From: Matt Zimmerman <mdz@debian.org>
Date: Sun, 3 Aug 2003 00:36:07 -0400
Message-id: <[🔎] 20030803043607.GZ24128@alcor.net>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 20030803041727.GA4306@nevyn.them.org>
References: <[🔎] 20030802195103.GA23026@molehole.dyndns.org> <[🔎] 20030803011923.GP24128@alcor.net> <[🔎] 20030803041727.GA4306@nevyn.them.org>

On Sun, Aug 03, 2003 at 12:17:27AM -0400, Daniel Jacobowitz wrote:

> On Sat, Aug 02, 2003 at 09:19:23PM -0400, Matt Zimmerman wrote:
> > Under this setup, when cron opens a crontab file, it should fstat() it
> > and check that it is owned by the uid under which its contents will be
> > executed before trusting it.
> 
> It is also important to stat beforehand, to prevent stupid symlink tricks,
> if we're going to be paranoid about writes to the directory.  Then you
> compare dev/inode with the fstat.

That couldn't hurt either.  Though, I think it is more correct to stat after
opening the file, so that we do not rely on the filesystem's allocation of
inode numbers (the inode number of the open file cannot be reused).

So: open, fstat, stat, compare fstat.st_ino to stat.st_ino, check
fstat.st_uid.  O_EXCL should also be used when writing to the directory.

It should be noted somewhere that these protections do little good if the
system allows users to give away their files (as with the recent XFS bug),
and gid cron becomes equivalent to root again.

-- 
 - mdz

Reply to:

Follow-Ups:
- Re: setgid crontab
  - From: Steve Greenland <steveg@moregruel.net>

References:
- setgid crontab
  - From: Steve Greenland <steveg@moregruel.net>
- Re: setgid crontab
  - From: Matt Zimmerman <mdz@debian.org>
- Re: setgid crontab
  - From: Daniel Jacobowitz <dan@debian.org>

Prev by Date: Re: setgid crontab
Next by Date: Re: debconf 2005 in Vienna, Austria
Previous by thread: Re: setgid crontab
Next by thread: Re: setgid crontab
Index(es):
- Date
- Thread