recent vixie cron vulnerability
Robert Watson
rwatson at FreeBSD.org
Thu Jun 1 06:37:02 PDT 2006
On Thu, 1 Jun 2006, Kostik Belousov wrote:
> There was recent discovery of the problem in the vixie cron job execution,
> see http://www.securityfocus.com/bid/18108/ and
> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=178431 The hole exists
> because calls to the setuid(2) goes unchecked for errors.
>
> At first look, the issue seems to be irrelevant to the FreeBSD, because, in
> absence of mac(9), setuid(2) and similar calls can fail only for non-root
> user.
>
> But, if mac is present, then the setuid(2) could fail, and our version 3.0
> cron will execute user job with zero uid as well. To trick the cron into the
> problem, some mac policy shall be present in the kernel that would fail
> setuid() call for some reasons.
>
> Do you consider this important enough to justify the patch ?
Fortunately, none of our current shipped policies assert control over
setuid(), so none of the policies we provide can result in this bug
triggering. However, third party policies could potentially be affected. We
should adopt this patch, or something like it, as such policies may exist in
the future, and may already be present in third party code, and are desirable
to support.
Robert N M Watson
>
> Index: cron/do_command.c
> ===================================================================
> RCS file: /usr/local/arch/ncvs/src/usr.sbin/cron/cron/do_command.c,v
> retrieving revision 1.23
> diff -u -r1.23 do_command.c
> --- cron/do_command.c 24 Aug 2005 17:51:36 -0000 1.23
> +++ cron/do_command.c 1 Jun 2006 12:47:31 -0000
> @@ -245,12 +245,29 @@
> /* set our directory, uid and gid. Set gid first,
> * since once we set uid, we've lost root privledges.
> */
> - setgid(e->gid);
> + if (setgid(e->gid) != 0) {
> + log_it(usernm,getpid(),"error","setgid failed");
> + exit(ERROR_EXIT);
> + /*NOTREACHED*/
> + }
> # if defined(BSD)
> - initgroups(usernm, e->gid);
> + if (initgroups(usernm, e->gid) != 0) {
> + log_it(usernm,getpid(),"error","initgroups failed");
> + exit(ERROR_EXIT);
> + /*NOTREACHED*/
> + }
> # endif
> - setlogin(usernm);
> - setuid(e->uid); /* we aren't root after this..*/
> + if (setlogin(usernm) != 0) {
> + log_it(usernm,getpid(),"error","setlogin failed");
> + exit(ERROR_EXIT);
> + /*NOTREACHED*/
> + }
> + if (setuid(e->uid) != 0) {
> + log_it(usernm,getpid(),"error","setuid failed");
> + exit(ERROR_EXIT);
> + /*NOTREACHED*/
> + }
> + /* we aren't root after this..*/
> #if defined(LOGIN_CAP)
> }
> if (lc != NULL)
> Index: cron/popen.c
> ===================================================================
> RCS file: /usr/local/arch/ncvs/src/usr.sbin/cron/cron/popen.c,v
> retrieving revision 1.12
> diff -u -r1.12 popen.c
> --- cron/popen.c 6 Feb 2002 02:00:07 -0000 1.12
> +++ cron/popen.c 1 Jun 2006 12:47:31 -0000
> @@ -175,12 +175,21 @@
> /* set our directory, uid and gid. Set gid first,
> * since once we set uid, we've lost root privledges.
> */
> - setgid(e->gid);
> + if (setgid(e->gid) != 0)
> + _exit(ERROR_EXIT);
> + /*NOTREACHED*/
> # if defined(BSD)
> - initgroups(usernm, e->gid);
> + if (initgroups(usernm, e->gid) != 0)
> + _exit(ERROR_EXIT);
> + /*NOTREACHED*/
> # endif
> - setlogin(usernm);
> - setuid(e->uid); /* we aren't root after this..*/
> + if (setlogin(usernm) != 0)
> + _exit(ERROR_EXIT);
> + /*NOTREACHED*/
> + if (setuid(e->uid) != 0)
> + _exit(ERROR_EXIT);
> + /*NOTREACHED*/
> + /* we aren't root after this..*/
> #if defined(LOGIN_CAP)
> }
> if (lc != NULL)
>
More information about the freebsd-hackers
mailing list