It looks like vixie cron has a vulnerability There's no setuid check in do_command.c #if (defined(BSD)) && (BSD >= 199103) setlogin(usernm); #endif /* BSD */ setuid(e->pwd->pw_uid); /* we aren't root after this... */ #endif /* LOGIN_CAP */ chdir(env_get("HOME", e->envp)); /* * Exec the command. */ The point is that it run command with 0 uid if it failed after user out of PAM, ulimit or some else resoures limits diff -uPr vixie-cron-4.1/do_command.c vixie-cron-4.1.lk/do_command.c --- vixie-cron-4.1/do_command.c 2004-08-27 22:09:34.000000000 +0400 +++ vixie-cron-4.1.lk/do_command.c 2006-05-24 15:02:44.000000000 +0400 @@ -240,12 +240,19 @@ } } #else - setgid(e->pwd->pw_gid); + initgroups(usernm, e->pwd->pw_gid); #if (defined(BSD)) && (BSD >= 199103) setlogin(usernm); #endif /* BSD */ - setuid(e->pwd->pw_uid); /* we aren't root after this... */ + // setuid(e->pwd->pw_uid); /* we aren't root after this... */ + + if (setuid(e->pwd->pw_uid)) { + fprintf(stderr, + "can't set uid for %s\n", e->pwd->pw_name); + _exit(1); + } + setgid(e->pwd->pw_gid); #endif /* LOGIN_CAP */ chdir(env_get("HOME", e->envp));
ka0ttic please have a look and provide new ebuilds, thx
Created attachment 87472 [details, diff] do_command.c.patch
Comment on attachment 87472 [details, diff] do_command.c.patch setgid() first
already posted in the forums.
reassigning to maintainer, as this is more of an enhancement than exploitable bug.
it's pretty easy to exploit when user out of resources (its were vm/rss/nproc limits in /etc/security/limits.conf in my case), vixie-cron just runs commands from user's spool with root privileges it can be dangerous for hosting providers and everyone who gives access to cron (In reply to comment #5) > reassigning to maintainer, as this is more of an enhancement than exploitable > bug. >
Eugene: ahh, I see what you mean. Re-taking bug..
cron team : please bump
Bumped myself with the patch of Eugene Ilkov (thanks!). Arches, please test and stable 4.1-r9, thanks
Stable on x86
alpha stable.
ppc stable
sparc stable.
stable on ppc64
amd64 stable.
stable on hppa
GLSA 200606-07 arm, ia64 and mips please don't forget to mark stable to benifit from the GLSA.
The mips team doth annoint this bug with the Mark of Stability +1.
