212305 – Security: possible to edit crontab of other user

Bug 212305 - Security: possible to edit crontab of other user

Summary: Security: possible to edit crontab of other user

Status:	Closed FIXED

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	bin (show other bugs)
Version:	10.3-RELEASE
Hardware:	Any Any

Importance:	--- Affects Many People
Assignee:	Ed Maste

URL:
Keywords:	security

Duplicates (1):	203235 (view as bug list)
Depends on:
Blocks:

Reported:	2016-09-01 12:24 UTC by Andrii Kuzik
Modified:	2017-01-19 05:18 UTC (History)
CC List:	5 users (show)

See Also:

Flags:	emaste: mfc-stable11+ emaste: mfc-stable10+ emaste: mfc-stable9+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andrii Kuzik 2016-09-01 12:24:08 UTC

Security bug allows to edit other users crontab

root# pw useradd -n www.promspecbud.com  -g nobody -s /bin/sh -d /tmp
root# pw useradd -n www.promspecbud.com.other -g nobody -s /bin/sh -d /tmp 
root# echo @daily doit baby > /tmp/test
root# crontab -u www.promspecbud.com.other /tmp/test
root# crontab -u www.promspecbud.com -l

=====output =====
@daily doit baby
=================

root#echo @daily doit baby one more time>> /tmp/test
root#sudo -u www.promspecbud.com.other crontab /tmp/test
root#sudo -u www.promspecbud.com crontab -l
=====output =====
@daily doit baby
@daily doit baby one more time
=================

root# uname -a
FreeBSD kuzik 10.3-RELEASE FreeBSD 10.3-RELEASE #0 r297264: Fri Mar 25 02:10:02 UTC 2016     root@releng1.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC  amd64

Comment 1 Enji Cooper freebsd_committer

2016-09-01 18:41:36 UTC

Ouch. strncmp was probably used incorrectly :/..

Comment 2 commit-hook freebsd_committer

2016-09-02 03:16:32 UTC

A commit references this bug:

Author: emaste
Date: Fri Sep  2 03:15:54 UTC 2016
New revision: 305269
URL: https://svnweb.freebsd.org/changeset/base/305269

Log:
  cron: use existing maximum username constant MAXLOGNAME

  Previously cron had its own maximum username length limit, which was
  smaller than the system's MAXLOGNAME. This could lead to crontab -u
  updating the wrong user's crontab (if the name was truncated, and
  matched another user).

  PR:		212305
  Reported by:	Andrii Kuzik
  Reviewed by:	allanjude, jilles
  MFC after:	3 days
  Sponsored by:	The FreeBSD Foundation
  Differential Revision:	https://reviews.freebsd.org/D7747

Changes:
  head/usr.sbin/cron/cron/cron.h
  head/usr.sbin/cron/crontab/crontab.c

Comment 3 commit-hook freebsd_committer

2016-09-05 15:44:06 UTC

A commit references this bug:

Author: emaste
Date: Mon Sep  5 15:43:22 UTC 2016
New revision: 305423
URL: https://svnweb.freebsd.org/changeset/base/305423

Log:
  MFC r305269: cron: use existing maximum username constant MAXLOGNAME

  Previously cron had its own maximum username length limit, which was
  smaller than the system's MAXLOGNAME. This could lead to crontab -u
  updating the wrong user's crontab (if the name was truncated, and
  matched another user).

  PR:		212305
  Reported by:	Andrii Kuzik

Changes:
  stable/11/usr.sbin/cron/cron/cron.h
  stable/11/usr.sbin/cron/crontab/crontab.c

Comment 4 commit-hook freebsd_committer

2016-09-05 15:51:08 UTC

A commit references this bug:

Author: emaste
Date: Mon Sep  5 15:50:40 UTC 2016
New revision: 305424
URL: https://svnweb.freebsd.org/changeset/base/305424

Log:
  MFC r305269: cron: use existing maximum username constant MAXLOGNAME

  Previously cron had its own maximum username length limit, which was
  smaller than the system's MAXLOGNAME. This could lead to crontab -u
  updating the wrong user's crontab (if the name was truncated, and
  matched another user).

  PR:		212305
  Reported by:	Andrii Kuzik

Changes:
_U  stable/10/
  stable/10/usr.sbin/cron/cron/cron.h
  stable/10/usr.sbin/cron/crontab/crontab.c

Comment 5 commit-hook freebsd_committer

2016-09-05 16:44:16 UTC

A commit references this bug:

Author: emaste
Date: Mon Sep  5 16:43:58 UTC 2016
New revision: 305427
URL: https://svnweb.freebsd.org/changeset/base/305427

Log:
  MFS r305423: cron: use existing maximum username constant MAXLOGNAME

  Previously cron had its own maximum username length limit, which was
  smaller than the system's MAXLOGNAME. This could lead to crontab -u
  updating the wrong user's crontab (if the name was truncated, and
  matched another user).

  PR:		212305
  Reported by:	Andrii Kuzik
  Approved by:	re (kib)
  MFH:		r305269

Changes:
_U  releng/11.0/
  releng/11.0/usr.sbin/cron/cron/cron.h
  releng/11.0/usr.sbin/cron/crontab/crontab.c

Comment 6 commit-hook freebsd_committer

2016-09-05 17:57:30 UTC

A commit references this bug:

Author: emaste
Date: Mon Sep  5 17:56:53 UTC 2016
New revision: 305429
URL: https://svnweb.freebsd.org/changeset/base/305429

Log:
  MFC r305269: cron: use existing maximum username constant MAXLOGNAME

  Previously cron had its own maximum username length limit, which was
  smaller than the system's MAXLOGNAME. This could lead to crontab -u
  updating the wrong user's crontab (if the name was truncated, and
  matched another user).

  PR:		212305
  Reported by:	Andrii Kuzik

Changes:
_U  stable/9/usr.sbin/cron/
  stable/9/usr.sbin/cron/cron/cron.h
_U  stable/9/usr.sbin/cron/crontab/
  stable/9/usr.sbin/cron/crontab/crontab.c

Comment 7 Ed Maste freebsd_committer

2016-12-20 21:37:49 UTC

*** Bug 203235 has been marked as a duplicate of this bug. ***