Subject: NetBSD Security Advisory 1998-004: at(1) vulnerabilities.
To: None <netbsd-announce@NetBSD.ORG, tech-security@NetBSD.ORG,>
From: <>
List: tech-security
Date: 06/27/1998 20:37:31

                 NetBSD Security Advisory 1998-004

Topic:		Problem with at(1) allows any file to be read.
Version:	NetBSD 1.3.2 and earlier.  Fixed in NetBSD-current 19980626.
Severity:	Local user may be able to read any file.

- --------

Due to a bug in the at(1) program, any local user can queue any file on
the system for execution by /bin/sh, readable by root.  As at(1) returns
errors to the submitter, it is possibly that they may obtain parts of
the file.

Technical Details
- -----------------

The at(1) sources use seteuid(2) to user ID swap between the user and
root.  at(1) incorrectly was setting it's cached real and effective user
ID to 0 before opening a filename passed via the -f flag, allowing any
file readable by root to be read as commands to be executed.  For
example, if at(1) was called like this:

	% at -f /etc/master.passwd now + 1 minute

portions of /etc/master.passwd may be mailed back to the user.  In this
example, the security of the passwords in /etc/master.passwd was

Solutions and Workarounds
- -------------------------

The patch listed below changes at(1) to not change the cached real and
effective user ID values, but instead, switching to root as necessary.
By removing the `REDUCE_PRIV' call, and calling `PRIV_START' and
`PRIV_END' around the final fchmod(2), security is obtained.

If the patch can not be applied, the following command should be run as
root, to remove the set-user-ID flag from the at(1) binary:

	# chmod u-s /usr/bin/at

Note that this will disable at(1) for normal users.

The patch has been made available for NetBSD 1.3, 1.3.1 and 1.3.2, and
can be found on the NetBSD FTP server:

Thanks To
- ---------

The NetBSD Project would like to thank Wolfgang Rupprecht
<> for providing information about this problem,
and matthew green <> for providing a solution.

More Information
- ----------------

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.

Copyright 1998, The NetBSD Foundation, Inc.  All Rights Reserved.

Version: 2.6.1