When run as "crontab -e", crontab creates a temporary file in /tmp, copies the
contents of an existing crontab to this file, and then calls utime() on the
temporary file name to set its mtime and atime to 0, in order to check after
editing whether or not the file has been modified.
Since the file is created with the user's euid, and because utime is called on
the file as root, an attacker can replace the temporary file after it is
created with a symlink to any file or folder on disk, which will then have its
atime and mtime set to 0. This is certainly not a critical issue, but this
action can be used to deny service in many scenarios. For example, the cron
daemon checks the mtime of the crontab spool folder and its contents to
determine whether or not it needs to update its database of cronjobs, and if
these times are reset to 0, no new cronjobs will be added. Other daemons
relying on accurate timestamps may be similarly affected. Finally, build tools
such as make could be tricked into not re-compiling source, based on an old
timestamp.
Thanks to: Dan Rosenberg