Source: cron Version: 3.0pl1-127 Severity: important Tags: security Hi
There is reported a group crontab to root escalation via the postinst in Debian and Ubuntu, as stated in the oss-security post: http://www.openwall.com/lists/oss-security/2017/06/08/3 Our postinst contains: | # Fixup crontab , directory and files for new group 'crontab'. | # Can't use dpkg-statoverride for this because it doesn't cooperate nicely | # with cron alternatives such as bcron | if [ -d $crondir/crontabs ] ; then | chown root:crontab $crondir/crontabs | chmod 1730 $crondir/crontabs | # This used to be done conditionally. For versions prior to "3.0pl1-81" | # It has been disabled to suit cron alternative such as bcron. | cd $crondir/crontabs | set +e | ls -1 | xargs -r -n 1 --replace=xxx chown 'xxx:crontab' 'xxx' | ls -1 | xargs -r -n 1 chmod 600 | set -e | fi which can be used for group-crontab-to-root escalation of privileges as described by Qualys team in the above reference. (note that for the first issue, we have already the kernel hardening in place since Debian Wheezy). Regards, Salvatore