Re: vixie cron... (fwd)
On Fri, Nov 17, 2000 at 06:24:33AM -0900, Ethan Benson wrote:
>
> On Fri, Nov 17, 2000 at 07:54:26AM -0600, An Thi-Nguyen Le wrote:
> > On Fri, Nov 17, 2000 at 03:46:19AM -0900, Ethan Benson typed:
> > } On Fri, Nov 17, 2000 at 12:36:54PM +0000, thomas lakofski wrote:
> > } > fyi -- i've not tried it.
> > }
> > } i have, it does not work, i tried several different variations and
> > } failed to create any files in /var/spool/cron.
> > }
> > } i do not believe debian is vulnerable.
> >
> > Wrong, we *are* vulnerable. Take a look /var/spool/cron/crontabs
> > instead.
>
> ah, your right, however this is not exploitable since
> /var/spool/cron/crontabs is mode 700.
>
> still should be fixed though.
Wrong again :) In most clean Debian installs it is not mode 0700.
There will be a security advisory shortly.
Dan
/--------------------------------\ /--------------------------------\
| Daniel Jacobowitz |__| SCS Class of 2002 |
| Debian GNU/Linux Developer __ Carnegie Mellon University |
| dan@debian.org | | dmj+@andrew.cmu.edu |
\--------------------------------/ \--------------------------------/
Reply to: