tech-security: Re: cron (was Re: BSD auth for NetBSD)

Subject: Re: cron (was Re: BSD auth for NetBSD)
To: Steven M. Bellovin <smb@research.att.com>
From: Andrew Brown <atatat@atatdot.net>
List: tech-security
Date: 09/14/2003 00:34:36

On Sat, Sep 13, 2003 at 10:28:19PM -0400, Steven M. Bellovin wrote:
>In message <Pine.LNX.4.43.0309131918410.12784-100000@pilchuck.reedmedia.net>, "
>Jeremy C. Reed" writes:
>>> -r-sr-xr-x  4 root  wheel   23284 Sep  6 21:30 /usr/bin/at
>>> -r-sr-xr-x  4 root  wheel   23284 Sep  6 21:30 /usr/bin/atq
>>> -r-sr-xr-x  4 root  wheel   23284 Sep  6 21:30 /usr/bin/atrm
>>> -r-sr-xr-x  4 root  wheel   23284 Sep  6 21:30 /usr/bin/batch
>>
>>> -r-sr-xr-x  1 root  wheel   24048 Sep  6 21:30 /usr/bin/crontab
>>
>>These are easy fixes (and not related to any authentication as far as I
>>know).
>>
>>Has there been any discussion on getting rid of setuid root and just using
>>setgid of cron-specific group? (And making the cron tabs directory
>>writable by that group.)
>
>That's a distinction without a difference, since a subverted crontab 
>could rewrite root's file, which would be executed as root by crond.

well...since he said "making the cron tabs directory writable by that
group"...

what about this (silly fake output that describes what i thinking):

   % ls -la /var/cron/tabs
   total 4
   drwx-wx---  2 root    crontabs    512 Aug 12 23:42 .
   drwxr-xr-x  3 root    wheel       512 May 11 17:14 ..
   -rw-------  1 andrew  crontabs    357 Mar 19 08:32 andrew
   -rw-------  1 root    crontabs    934 Aug 12 23:42 root
   % ls -l /usr/bin/crontab 
   -r-xr-sr-x  1 root    crontabs  24592 Aug 11 12:43 /usr/bin/crontab*

so that users can only use crontab to put a crontab in place, cron
runs as root so that cron itself can get stuff from there (and so that
it can setuid), and if it finds a file, it ensures that the crontab
named "george" is owned by "george" (and root's is root, etc).

heck, you could even put a socket in there called "-cron" (since
usernames can't start with a - anyway) that, when connected to, would
cause cron to rescan the crontabs directory.  the crontab binary
would, of course, merely cd to that directory and then toss the
crontabs group privs.

just making stuff up late at night here...

-- 
|-----< "CODE WARRIOR" >-----|
codewarrior@daemon.org             * "ah!  i see you have the internet
twofsonet@graffiti.com (Andrew Brown)                that goes *ping*!"
werdna@squooshy.com       * "information is power -- share the wealth."