Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 131381

Summary: strange rights in fcron
Product: Gentoo Linux Reporter: Kandalincev Alexandre <exe>
Component: Current packagesAssignee: Wolfram Schlich (RETIRED) <wschlich>
Status: RESOLVED DUPLICATE    
Severity: normal CC: cron-bugs+disabled, sharpshopter
Priority: High    
Version: 2005.1   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Kandalincev Alexandre 2006-04-26 14:25:09 UTC 
To have own fcrontab user must be listed in /etc/fcron/fcron.allow and also be in group cron. Otherwise user user won't be able to start fcrontab binary:
localhost ~ # ls -la /usr/bin/fcrontab 
---s--s---  1 cron cron 41064 Apr  1 20:10 /usr/bin/fcrontab

But if user in cron group he can read foreign crontabs:

messir logs # ls -la /var/spool/cron/fcrontabs/
total 40
drwxrwx--- 2 cron cron 4096 Apr 27 01:15 .
drwxr-x--- 4 root cron 4096 Apr  1 17:38 ..
-rw-r--r-- 1 root root    0 Apr  1 17:38 .keep
-rw------- 1 root root  125 Apr 27 00:55 exe
-rw-r----- 1 cron cron   44 Apr 26 14:33 exe.orig
-rw------- 1 root root  376 Apr 27 00:55 interda
-rw-r----- 1 cron cron  207 Apr 22 11:06 interda.orig
-rw------- 1 root cron   27 Apr 17 19:55 root.orig
-rw------- 1 root root  117 Apr 27 00:55 vip
-rw-r----- 1 cron cron   30 Apr 21 22:53 vip.orig

 I think thats not right. Maybe you should give anybody permission to run fcrontab and remove all users from cron group because fcrontab access is controled via fron.allow and fcron.deny
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2006-10-01 10:41:07 UTC 
Seems like this patch fixes the entire EDITOR problem:

Index: fcron-3.0.1-r2.ebuild
===================================================================
RCS file: /var/cvsroot/gentoo-x86/sys-process/fcron/fcron-3.0.1-r2.ebuild,v
retrieving revision 1.3
diff -u -B -r1.3 fcron-3.0.1-r2.ebuild
--- fcron-3.0.1-r2.ebuild       29 Sep 2006 19:19:03 -0000      1.3
+++ fcron-3.0.1-r2.ebuild       1 Oct 2006 17:40:06 -0000
@@ -74,7 +74,6 @@
                --with-fifodir=/var/run \
                --with-sendmail=/usr/sbin/sendmail \
                --with-fcrondyn=yes \
-               --with-editor=${EDITOR} \
                --with-shell=/bin/sh \
                ${myconf} \
                || die "Configure problem"
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2006-10-01 10:41:40 UTC 
Oops, wrong bug.
Comment 3 sharpshopter 2006-12-26 23:50:56 UTC 
They can do more than read other crontabs, they can delete the *.orig files (next edit, the user has to start with a blank crontab), slip in rogue commands (which unless the user notices and removes it next edit, will be run with their permissions), and delete crontab files (which will not be replaced if fcron exits uncleanly, eg. power outage).  I think this borders on being a security bug.

A quick fix to these problems is setting the sticky bit on /var/spool/cron/fcrontabs, but that still leaves your crontab leak.  For some reason, I don't know why, a user needs to be able to write to the fcrontabs directory to edit their crontab (even though the fcrontab prog is SUID cron).
Comment 4 Wolfram Schlich (RETIRED) gentoo-dev 2007-03-23 23:31:17 UTC 

*** This bug has been marked as a duplicate of bug 171393 ***