Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 134194 - sys-process/vixie-cron: check return code of setuid()
Summary: sys-process/vixie-cron: check return code of setuid()
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A2? [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2006-05-24 04:54 UTC by Eugene Ilkov
Modified: 2006-11-11 20:18 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
do_command.c.patch (vc.diff,835 bytes, patch)
2006-05-25 05:56 UTC, Eugene Ilkov
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Eugene Ilkov 2006-05-24 04:54:52 UTC
It looks like vixie cron has a vulnerability 
There's no setuid check in do_command.c 

#if (defined(BSD)) && (BSD >= 199103) 
setlogin(usernm); 
#endif /* BSD */ 
setuid(e->pwd->pw_uid); /* we aren't root after this... */ 

#endif /* LOGIN_CAP */ 
chdir(env_get("HOME", e->envp)); 

/* 
* Exec the command. 
*/ 

The point is that it run command with 0 uid if it failed after user out of PAM, ulimit or some else resoures limits

diff -uPr vixie-cron-4.1/do_command.c vixie-cron-4.1.lk/do_command.c 
--- vixie-cron-4.1/do_command.c 2004-08-27 22:09:34.000000000 +0400 
+++ vixie-cron-4.1.lk/do_command.c 2006-05-24 15:02:44.000000000 +0400 
@@ -240,12 +240,19 @@ 
} 
} 
#else 
- setgid(e->pwd->pw_gid); 
+ 
initgroups(usernm, e->pwd->pw_gid); 
#if (defined(BSD)) && (BSD >= 199103) 
setlogin(usernm); 
#endif /* BSD */ 
- setuid(e->pwd->pw_uid); /* we aren't root after this... */ 
+ // setuid(e->pwd->pw_uid); /* we aren't root after this... 
*/ 
+ 
+ if (setuid(e->pwd->pw_uid)) { 
+ fprintf(stderr, 
+ "can't set uid for %s\n", e->pwd->pw_name); 
+ _exit(1); 
+ } 
+ setgid(e->pwd->pw_gid); 

#endif /* LOGIN_CAP */ 
chdir(env_get("HOME", e->envp));
Comment 1 Stefan Cornelius (RETIRED) gentoo-dev 2006-05-24 07:49:17 UTC
ka0ttic please have a look and provide new ebuilds, thx
Comment 2 Eugene Ilkov 2006-05-25 05:56:17 UTC
Created attachment 87472 [details, diff]
do_command.c.patch
Comment 3 Eugene Ilkov 2006-05-25 05:58:16 UTC
Comment on attachment 87472 [details, diff]
do_command.c.patch

setgid() first
Comment 4 Tavis Ormandy (RETIRED) gentoo-dev 2006-05-25 06:12:48 UTC
already posted in the forums.
Comment 5 Tavis Ormandy (RETIRED) gentoo-dev 2006-05-25 06:15:48 UTC
reassigning to maintainer, as this is more of an enhancement than exploitable bug.
Comment 6 Eugene Ilkov 2006-05-25 07:10:43 UTC
it's pretty easy to exploit
when user out of resources (its were vm/rss/nproc limits in /etc/security/limits.conf in my case), vixie-cron just runs commands from user's spool with root privileges
it can be dangerous for hosting providers and everyone who gives access to cron

(In reply to comment #5)
> reassigning to maintainer, as this is more of an enhancement than exploitable
> bug.
> 

Comment 7 Tavis Ormandy (RETIRED) gentoo-dev 2006-05-25 12:21:28 UTC
Eugene: ahh, I see what you mean. Re-taking bug..
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2006-05-30 11:30:16 UTC
cron team : please bump
Comment 9 Stefan Cornelius (RETIRED) gentoo-dev 2006-06-01 06:17:17 UTC
Bumped myself with the patch of Eugene Ilkov (thanks!).

Arches, please test and stable 4.1-r9, thanks
Comment 10 Alec Warner archtester Gentoo Infrastructure gentoo-dev Security 2006-06-01 07:39:03 UTC
Stable on x86
Comment 11 Thomas Cort (RETIRED) gentoo-dev 2006-06-01 10:59:01 UTC
alpha stable.
Comment 12 Tobias Scherbaum (RETIRED) gentoo-dev 2006-06-01 11:16:27 UTC
ppc stable
Comment 13 Gustavo Zacarias (RETIRED) gentoo-dev 2006-06-01 13:07:30 UTC
sparc stable.
Comment 14 Markus Rothe (RETIRED) gentoo-dev 2006-06-02 05:58:07 UTC
stable on ppc64
Comment 15 Thomas Cort (RETIRED) gentoo-dev 2006-06-02 06:46:48 UTC
amd64 stable.
Comment 16 René Nussbaumer (RETIRED) gentoo-dev 2006-06-03 02:35:37 UTC
stable on hppa
Comment 17 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-06-09 08:54:25 UTC
GLSA 200606-07

arm, ia64 and mips please don't forget to mark stable to benifit from the GLSA.
Comment 18 Joshua Kinard gentoo-dev 2006-07-08 21:12:21 UTC
The mips team doth annoint this bug with the Mark of Stability +1.