What of cron?
Posted Jul 13, 2006 18:08 UTC (Thu) by hppnq
In reply to: What of cron?
Parent article: Denial of reality vulnerabilities
Cron gets the username from the filename, not the actual ownership of the file. (At least, on a default Dapper, this happens for files in /var/spool/cron/crontabs, where they end up if edited through crontab -e, for instance. Newer incantations seem to expect a username on the cronjob line.)
If the user "core" does not exist, a crontab -- at least, in /var/spool/cron/crontabs, haven't investigated /etc/cron.d and friends -- called "core" will be ignored by crond and an error message indicating the failure will be logged; otherwise, its jobs, if any, are run as the user core.
So if a user without root privileges can cause core files to be called "root", you're in trouble. On my default Dapper, this cannot be easily done -- but YMMV. ;-)
Oh, and yes, my Dapper also checks whether the file owner is actually the user indicated by the crontab filename. Phew. ;-)
to post comments)