[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: vixie cron... (fwd)

On Fri, Nov 17, 2000 at 06:24:33AM -0900, Ethan Benson wrote:
> 
> On Fri, Nov 17, 2000 at 07:54:26AM -0600, An Thi-Nguyen Le wrote:
> > On Fri, Nov 17, 2000 at 03:46:19AM -0900, Ethan Benson typed:
> > } On Fri, Nov 17, 2000 at 12:36:54PM +0000, thomas lakofski wrote:
> > } > fyi -- i've not tried it.
> > } 
> > } i have, it does not work, i tried several different variations and
> > } failed to create any files in /var/spool/cron.
> > } 
> > } i do not believe debian is vulnerable.
> > 
> > Wrong, we *are* vulnerable.  Take a look /var/spool/cron/crontabs 
> > instead.
> 
> ah, your right, however this is not exploitable since
> /var/spool/cron/crontabs is mode 700.  
> 
> still should be fixed though.

Wrong again :)  In most clean Debian installs it is not mode 0700. 

There will be a security advisory shortly.


Dan

/--------------------------------\  /--------------------------------\
|       Daniel Jacobowitz        |__|        SCS Class of 2002       |
|   Debian GNU/Linux Developer    __    Carnegie Mellon University   |
|         dan@debian.org         |  |       dmj+@andrew.cmu.edu      |
\--------------------------------/  \--------------------------------/
Reply to: