Cron can allow users to obtain root access the same way that the atrun command allowed. Fix: Cron was changed to only accept MAILTO variables that point to user names that actually exist in the password file. This disallows users from passing arguments to sendmail and spoofing it into running as root and giving them root access. If cron detected that a user name did not exist, and it is able to find a user name to send the mail to, it will add a: X-Cron-Err: User specified in MAILTO variable does not exist header line to the mail message to give the user some idea of why their mail isn't going where they wanted. Here is the patch to /usr/src/usr.sbin/cron/cron/do_command.c to fix the problem: How-To-Repeat: See all of the relavent "atrun" mail for a detailed description. Basically, just modify the MAILTO variable in a users crontab file in the same way that the atrun mail information was changed to spoof sendmail.
State Changed From-To: open->closed Fixed in do_command.c 1.2