From 9e4a8fa5f9171fb724981f53879c9b20264aeb61 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Marcela=20Ma=C5=A1l=C3=A1=C5=88ov=C3=A1?= Date: Wed, 17 Feb 2010 11:51:45 +0100 Subject: [PATCH] CVE-2010-0424 -- crontab -e crontab file timestamp race condition When run as "crontab -e", crontab creates a temporary file in /tmp, copies the contents of an existing crontab to this file, and then calls utime() on the temporary file name to set its mtime and atime to 0, in order to check after editing whether or not the file has been modified. Since the file is created with the user's euid, and because utime is called on the file as root, an attacker can replace the temporary file after it is created with a symlink to any file or folder on disk, which will then have its atime and mtime set to 0. This is certainly not a critical issue, but this action can be used to deny service in many scenarios. For example, the cron daemon checks the mtime of the crontab spool folder and its contents to determine whether or not it needs to update its database of cronjobs, and if these times are reset to 0, no new cronjobs will be added. Other daemons relying on accurate timestamps may be similarly affected. Finally, build tools such as make could be tricked into not re-compiling source, based on an old timestamp. Thanks to: Dan Rosenberg --- src/crontab.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/crontab.c b/src/crontab.c index d39b8f2..d99cf24 100644 --- a/src/crontab.c +++ b/src/crontab.c @@ -436,10 +436,18 @@ static void edit_cmd(void) { perror(Filename); exit(ERROR_EXIT); } + if (swap_uids() == -1) { + perror("swapping uids"); + exit(ERROR_EXIT); + } /* Set it to 1970 */ utimebuf.actime = 0; utimebuf.modtime = 0; utime(Filename, &utimebuf); + if (swap_uids_back() == -1) { + perror("swapping uids"); + exit(ERROR_EXIT); + } again: rewind(NewCrontab); if (ferror(NewCrontab)) { -- 2.40.0