tags 691275 moreinfo thanks On Tue, Oct 23, 2012 at 09:28:05PM +0200, Jann Horn wrote: > Debian's crontab contains multiple symlink races. If > crontab was setuid root (which I think it normally is), this could be used > to e.g. wipe directories (vulnerable code is in cleanup_tmp_crontab) or for > other attacks. However, as it is only setgid crontab on debian, the only > attack this can be used for is to block cron access for a user named > "crontab" by invoking "crontab -e" and replacing the > folder in /tmp with a symlink before crontab creates the file "crontab" > inside the folder. The code vulnerable to this attack is in > create_tmp_crontab.
Could you please detail where do you see the symlink races or show, at least, a proof of concept of the symlink race in action and how can I reproduce this bug? Reviewing the code: the directory used in cleanup_tmp_crontab is actually defined in create_tmp_crontab using mkdtemp(). Mkdtemp ensures that the directory created is both unique as well as restricted to the user running it. This means that, as far as I know, any files created within that directory (and removed afterwards) should be "safe". This includes the unlink() codes in cleanup_tmp_crontab, as well as the rmdir() call there. Best regards Javier
signature.asc
Description: Digital signature