temporary files created by crontab -e
Hi, trying to create a user-crontab, I found that crontab -e creates temporary files in /tmp. These files take the name /tmp/crontab.xxx where the extension seems to be the PID of the crontab -e command and thus are easy to guess by other people. Since /tmp is writable by everyone, someone else could possibly create a file following this naming convention, thereby disturbing the crontab command. I wasn´t able to smuggle data into the crontabs but this behavior can easily be used to do a DoS since the /tmp directory has the sticky-Bit set. Regards Roland Hilkenbach
On Thu, 4 May 2000, Roland Hilkenbach wrote:
Hi, trying to create a user-crontab, I found that crontab -e creates temporary files in /tmp. These files take the name /tmp/crontab.xxx where the extension seems to be the PID of the crontab -e command and thus are easy to guess by other people. Since /tmp is writable by everyone, someone else could possibly create a file following this naming convention, thereby disturbing the crontab command. I wasn´t able to smuggle data into the crontabs but this
I assume crontab checks for the files existence _before_ creating it. This is a standard when dealing with tmp files. You might consider reading more about system programming using tmp files. Just creating a file to tmp _blindly_ would be dangerous (as it might overwrite another file, possibly a link to some important file). I think crontab is written this in mind.
behavior can easily be used to do a DoS since the /tmp directory has the sticky-Bit set.
What? No sticky bits are set at my installation. That would be a major mistake allowing others to make files belonging to root:root. Just think what these files could do, if made setuid too? You should doublecheck your system, if someone has somehow made your tmp setgid- or setuid something. -Pete
Regards Roland Hilkenbach
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
hi, i think he meant the "t" bit (link bit [?] ) :) -alexm On Thu, 4 May 2000, Petri Sirkkala. wrote:
behavior can easily be used to do a DoS since the /tmp directory has the sticky-Bit set.
What? No sticky bits are set at my installation. That would be a major mistake allowing others to make files belonging to root:root. Just think what these files could do, if made setuid too? You should doublecheck your system, if someone has somehow made your tmp setgid- or setuid something.
-Pete
On Thu, 4 May 2000, alex medvedev wrote:
hi,
i think he meant the "t" bit (link bit [?] ) :)
You are of course right. Silly, blind me. :) -Pete
-alexm
On Thu, 4 May 2000, Petri Sirkkala. wrote:
behavior can easily be used to do a DoS since the /tmp directory has the sticky-Bit set.
What? No sticky bits are set at my installation. That would be a major mistake allowing others to make files belonging to root:root. Just think what these files could do, if made setuid too? You should doublecheck your system, if someone has somehow made your tmp setgid- or setuid something.
-Pete
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
participants (3)
-
alex medvedev
-
Petri Sirkkala.
-
Roland Hilkenbach