edit others user crontab, security bug

Thu Sep 1 17:41:11 UTC 2016

On Thu, 1 Sep 2016, Edho Arief wrote:

> Date: Thu, 1 Sep 2016 15:43:58
> From: Edho Arief <me at myconan.net>
> To: freebsd-security at freebsd.org
> Subject: Re: edit others user crontab, security bug
> 
> Hi,
> 
> On Thu, Sep 1, 2016, at 21:47, Andrii Kuzik wrote:
> > Probably a lot of freebsd servers affected
> > 
> > Security bug allows to edit other users crontab
> > 
> > root# pw useradd -n www.promspecbud.com  -g nobody -s /bin/sh -d /tmp
> > root# pw useradd -n www.promspecbud.com.other -g nobody -s /bin/sh -d
> > /tmp
> > root# echo @daily doit baby > /tmp/test
> > root# crontab -u www.promspecbud.com.other /tmp/test
> > root# crontab -u www.promspecbud.com -l
> > 
> > =====output =====
> > @daily doit baby
> > =================
> > 
> > root#echo @daily doit baby one more time>> /tmp/test
> > root#sudo -u www.promspecbud.com.other crontab /tmp/test
> > root#sudo -u www.promspecbud.com crontab -l
> > =====output =====
> > @daily doit baby
> > @daily doit baby one more time
> > =================
> > 
> 
> 
> to be more specific, the bug is crontab truncates usernames to 19
> characters as defined in cron.h:
> 
> #define MAX_UNAME       20      /* max length of username, should be
> overkill */
> 
> 
> # pw useradd users12345names67890
> # crontab -u users12345names67890 -l
> crontab: no crontab for users12345names6789
>                                           ^-- cut off

apart from the crontab user length there seem to be quite a 
lot of possible values to choose from (MAXLOGNAME being the
FreeBSD standard, right?)

$ cd /usr/include
$ egrep "^#define.*(USER|LOG)" */*h *.h| grep MAX |grep NAME
bsm/libbsm.h:#define    AU_USER_NAME_MAX        50
netsmb/smb.h:#define SMB_MAXUSERNAMELEN 128
sys/param.h:#define     MAXLOGNAME      33              /* max login name length
 (incl. NUL) */
 sys/sysctl.h:#define    USER_TZNAME_MAX         20      /* int: POSIX2_TZNAME_MA
 X */
 limits.h:#define        _POSIX_LOGIN_NAME_MAX   9
 stdio.h:#define L_cuserid       17      /* size for cuserid(3); MAXLOGNAME, lega
 cy */
 unistd.h:#define        _SC_LOGIN_NAME_MAX      73

--
Damian Weber