338 – Cron allows users to obtain root access

Bug 338 - Cron allows users to obtain root access

Summary: Cron allows users to obtain root access

Status:	Closed FIXED

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	bin (show other bugs)
Version:	Unspecified
Hardware:	Any Any

Importance:	Normal Affects Only Me
Assignee:	freebsd-bugs (Nobody)

URL:
Keywords:

Depends on:
Blocks:

Reported:	1995-04-12 00:30 UTC by pritc003
Modified:	1995-04-12 00:30 UTC (History)
CC List:	0 users

See Also:

Attachments
file.diff (1.81 KB, patch) 1995-04-12 00:30 UTC, pritc003	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description pritc003 1995-04-12 00:30:01 UTC

Cron can allow users to obtain root access the same way that
the atrun command allowed.

Fix: Cron was changed to only accept MAILTO variables that point to user names 
that actually exist in the password file.  This disallows users from 
passing arguments to sendmail and spoofing it into running as root and 
giving them root access.  If cron detected that a user name did not 
exist, and it is able to find a user name to send the mail to, it will 
add a:

X-Cron-Err: User specified in MAILTO variable does not exist

header line to the mail message to give the user some idea of
why their mail isn't going where they wanted.


Here is the patch to /usr/src/usr.sbin/cron/cron/do_command.c
to fix the problem:
How-To-Repeat: 
See all of the relavent "atrun" mail for a detailed description.  
Basically, just modify the MAILTO variable in a users crontab file
in the same way that the atrun mail information was changed to
spoof sendmail.

Comment 1 Andrey A. Chernov freebsd_committer

1995-04-13 10:26:21 UTC

State Changed
From-To: open->closed

Fixed in do_command.c 1.2