From dda8fcf99026db645fe7776dba49cf804e8ed370 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marcela=20Ma=C5=A1l=C3=A1=C5=88ov=C3=A1?= <mmaslano@redhat.com>
Date: Wed, 17 Feb 2010 11:51:45 +0100
Subject: [PATCH] Race condition by setting timestamp of user's crontab file
When run as "crontab -e", crontab creates a temporary file in /tmp, copies the
contents of an existing crontab to this file, and then calls utime() on the
temporary file name to set its mtime and atime to 0, in order to check after
editing whether or not the file has been modified.
Since the file is created with the user's euid, and because utime is called on
the file as root, an attacker can replace the temporary file after it is
created with a symlink to any file or folder on disk, which will then have its
atime and mtime set to 0. This is certainly not a critical issue, but this
action can be used to deny service in many scenarios. For example, the cron
daemon checks the mtime of the crontab spool folder and its contents to
determine whether or not it needs to update its database of cronjobs, and if
these times are reset to 0, no new cronjobs will be added. Other daemons
relying on accurate timestamps may be similarly affected. Finally, build tools
such as make could be tricked into not re-compiling source, based on an old
timestamp.
Thanks to: Dan Rosenberg
---
src/crontab.c | 8 ++++++++
1 files changed, 8 insertions(+), 0 deletions(-)
diff --git a/src/crontab.c b/src/crontab.c
index d39b8f2..d99cf24 100644
--- cronie-1.4.3/src/crontab.c.old
+++ cronie-1.4.3/src/crontab.c
@@ -436,10 +436,18 @@ static void edit_cmd(void) {
perror(Filename);
exit(ERROR_EXIT);
}
+ if (swap_uids() == -1) {
+ perror("swapping uids");
+ exit(ERROR_EXIT);
+ }
/* Set it to 1970 */
utimebuf.actime = 0;
utimebuf.modtime = 0;
utime(Filename, &utimebuf);
+ if (swap_uids_back() == -1) {
+ perror("swapping uids");
+ exit(ERROR_EXIT);
+ }
again:
rewind(NewCrontab);
if (ferror(NewCrontab)) {
--
1.6.6.1