Non-members of cron group are allowed to submit crontabs on /var/run/bcron-spool socket. bcron-spool uses a unix domain socket file /var/run/bcron-spool for crontab submissions, served by unixserver from ucspi-unix package. bcron-spool identifies the crontab submitter by UNIXREMOTEEUID envvar provided by unixserver and does not place any restrictions on who may or may not submit crontabs, with no regard to whether the uid from UNIXREMOTEEUID is a member of cron group. The existing permissions on /usr/bin/bcrontab (root:cron 750) do not prevent any user from communicating with bcron-spool directly on the socket file (for one example of many, with a custom bcrontab executable placed into user's home directory). This behavior must be changed to comply with the common practices as described in Gentoo Linux Cron Guide: "No matter which cron package you use, if you want to allow a user to use crontab, he will first have to be in the cron group." Please note that such behavior in some situations may be considered a security vulerability allowing an attacker to repeatedly compromise a system through invoking a malicious cron job even after the initially exploited vulnerability has been eliminated and all the other attacker's tools has been cleaned out. The solution is to change the ownership and permissions of /var/run/bcron-spool to root:cron 660. Reproducible: Always Steps to Reproduce: 1. start bcron using the stock supervise scripts 2. log in as a user who is not a member of cron group 3. use a custom bcrontab executable to submit a crontab Actual Results: The crontab is submitted with no regard to the lack of cron group membership.
Created attachment 238517 [details, diff] an obvious fix
The fact that arbitrary users can create cronjobs is a bug indeed, but the security content of it is questionable. Reassigning to maintainer.
your patch is applied to bcron-0.09-r2. sorry for the wait. thanks for the report and fix
