LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Little things that matter in language design

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

What of cron?

What of cron?

Posted Jul 13, 2006 14:54 UTC (Thu) by Thalience (subscriber, #4217)
In reply to: What of cron? by lysse
Parent article: Denial of reality vulnerabilities

Furthermore, are the core dump files owned by the user, or by root?

If the core file is still owned by the user who ran the program, it seems like a very bad idea for cron to read files not owned by root from /etc/cron.d/.

(Log in to post comments)

What of cron?

Posted Jul 13, 2006 15:36 UTC (Thu) by cventers (subscriber, #31465) [Link]

Well, the issue is that prctl() can be used to set your program such that
its core files will be written by root, regardless of who started it.

The rationale behind that was that you might have a program that you want
to be able to debug but that might be handling sensitive data, so prctl()
lets you say "create a core file that _only_ root can read".

So the denial of service thing is definitely true. The cron interaction
just plain sucks.

What of cron?

Posted Jul 13, 2006 18:08 UTC (Thu) by hppnq (guest, #14462) [Link]

Cron gets the username from the filename, not the actual ownership of the file. (At least, on a default Dapper, this happens for files in /var/spool/cron/crontabs, where they end up if edited through crontab -e, for instance. Newer incantations seem to expect a username on the cronjob line.)

If the user "core" does not exist, a crontab -- at least, in /var/spool/cron/crontabs, haven't investigated /etc/cron.d and friends -- called "core" will be ignored by crond and an error message indicating the failure will be logged; otherwise, its jobs, if any, are run as the user core.

So if a user without root privileges can cause core files to be called "root", you're in trouble. On my default Dapper, this cannot be easily done -- but YMMV. ;-)

Oh, and yes, my Dapper also checks whether the file owner is actually the user indicated by the crontab filename. Phew. ;-)

What of cron?

Posted Jul 13, 2006 18:11 UTC (Thu) by corbet (editor, #1) [Link]

/etc/cron.d is a very different place, it has nothing to do with per-user crontabs at all.

What of cron?

Posted Jul 13, 2006 18:26 UTC (Thu) by hppnq (guest, #14462) [Link]

Yes, that's what I meant. I just didn't investigate whether cron works as designed in that case. ;-)

(By the way, I did not mean to make the problem look any less serious than it is, though. Patch!)

What of cron?

Posted Jul 13, 2006 19:31 UTC (Thu) by hppnq (guest, #14462) [Link]

I just didn't investigate whether cron works as designed in that case.

Yup, it does. So also in the /etc/cron.d case, a cracker would at least need to be able to manipulate the core dump's filename as well. Which requires root privileges on my system.

Again, this bug is trivially exploitable. But not by just dumping core in /etc/cron.d.

What of cron?

Posted Jul 14, 2006 5:23 UTC (Fri) by hppnq (guest, #14462) [Link]

[Nice, my own thread.]

Well, investigating a bit more turns up that indeed, dumping core in /etc/cron.d is sufficient: cron really doesn't care at all what files are called in /etc/cron.d. OMG. OMG. OMG. Jon, you were right as always.

(But really, cron's security model is *unbelievably* stupid.)

What of cron?

Posted Jul 19, 2006 7:25 UTC (Wed) by hein.zelle (guest, #33324) [Link]

Has this behaviour of cron led to any separate security advisories / fixes yet?

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds