[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Another buggy root cron job
From:       Steve Reid <steve () edmweb ! com>
Date:       1996-12-25 0:16:47
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----

Another cron job temp file bug that affects FreeBSD and possibly others.

/usr/libexec/locate.updatedb is called from /etc/weekly. It has _exactly_
the same problem as /etc/security with it's opening temp files. By
default, it uses /var/tmp instead of /tmp, but they're both mode 1777 so
it doesn't make any difference. I was able to overwrite my own
/etc/master.passwd by just creating a symlink (as a normal user) and
running locate.updatedb (as root). I don't know if the content of the
files can be manipulated enough to gain root, but users being able to
munge any file on the system is not a Good Thing.

This was on a FreeBSD 2.1.0-RELEASE system. The locate.updatedb is
identical on my 2.1-stable (which is now 2.1.6.1-RELEASE) machine.

The easiest fix for this is the same as the easiest fix for /etc/security:
use a root-only directory such as /var/run instead of something world
writable. There's a handy line for this in the script:

if (! $?TMPDIR) setenv TMPDIR /var/tmp

Change it to
if (! $?TMPDIR) setenv TMPDIR /var/run
                                   ^^^
or just
setenv TMPDIR /var/run


Merry Christmas.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQEVAwUBMsDgzNtVWdufMXJpAQGEhggAn5UsdxLMi0+vTvS2PY/2WpV6l7aBIRh0
pVYIu7lEijxxggyVFSkhQIiVs+qJENxzATjDjehu4Y9vRE/Lt2TFMOwYghXUo5/B
PVTFlvhQUPBI3TNO7h4v5eLhiLhQdmxXfxpE2jEdouQ7OBD7F6Yeiz+FSSd+0dNo
bt2TsHqWohpgyKc2DZRqa9gElzQSemn/frQcTnpRKGe0y2fZQI3UcC4f9qM//0GR
EL/bKzZEDNvrHByDBFWgs7XTctjD1wQvlkOt3H0xWwqzzQKm18XNVJMBSZuBfkDa
Fp5+5QtnXh+NbwI1qhvwYYC+D0P3jTIvdXxfz6GTF1eI4SjN6H345A==
=WyHw
-----END PGP SIGNATURE-----

[prev in list] [next in list] [prev in thread] [next in thread]