recent vixie cron vulnerability

Thu Jun 1 05:49:29 PDT 2006

There was recent discovery of the problem in the vixie cron
job execution, see
http://www.securityfocus.com/bid/18108/
and
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=178431
The hole exists because calls to the setuid(2) goes unchecked
for errors.

At first look, the issue seems to be irrelevant to the FreeBSD,
because, in absence of mac(9), setuid(2) and similar
calls can fail only for non-root user.

But, if mac is present, then the setuid(2) could fail,
and our version 3.0 cron will execute user job with zero uid as well.
To trick the cron into the problem, some mac policy shall be present in the
kernel that would fail setuid() call for some reasons.

Do you consider this important enough to justify the patch ?

Index: cron/do_command.c
===================================================================
RCS file: /usr/local/arch/ncvs/src/usr.sbin/cron/cron/do_command.c,v
retrieving revision 1.23
diff -u -r1.23 do_command.c

--- cron/do_command.c	24 Aug 2005 17:51:36 -0000	1.23
+++ cron/do_command.c	1 Jun 2006 12:47:31 -0000
@@ -245,12 +245,29 @@
 			/* set our directory, uid and gid.  Set gid first,
 			 * since once we set uid, we've lost root privledges.
 			 */
-			setgid(e->gid);
+			if (setgid(e->gid) != 0) {
+				log_it(usernm,getpid(),"error","setgid failed");
+				exit(ERROR_EXIT);
+				/*NOTREACHED*/
+			}
 # if defined(BSD)
-			initgroups(usernm, e->gid);
+			if (initgroups(usernm, e->gid) != 0) {
+				log_it(usernm,getpid(),"error","initgroups failed");
+				exit(ERROR_EXIT);
+				/*NOTREACHED*/
+			}				
 # endif
-			setlogin(usernm);
-			setuid(e->uid);		/* we aren't root after this..*/
+			if (setlogin(usernm) != 0) {
+				log_it(usernm,getpid(),"error","setlogin failed");
+				exit(ERROR_EXIT);
+				/*NOTREACHED*/
+			}
+			if (setuid(e->uid) != 0) {
+				log_it(usernm,getpid(),"error","setuid failed");
+				exit(ERROR_EXIT);
+				/*NOTREACHED*/
+			}
+			/* we aren't root after this..*/
 #if defined(LOGIN_CAP)
 		}
 		if (lc != NULL)
Index: cron/popen.c
===================================================================
RCS file: /usr/local/arch/ncvs/src/usr.sbin/cron/cron/popen.c,v
retrieving revision 1.12
diff -u -r1.12 popen.c
--- cron/popen.c	6 Feb 2002 02:00:07 -0000	1.12
+++ cron/popen.c	1 Jun 2006 12:47:31 -0000
@@ -175,12 +175,21 @@
 				/* set our directory, uid and gid.  Set gid first,
 				 * since once we set uid, we've lost root privledges.
 				 */
-				setgid(e->gid);
+				if (setgid(e->gid) != 0)
+					_exit(ERROR_EXIT);
+				/*NOTREACHED*/
 # if defined(BSD)
-				initgroups(usernm, e->gid);
+				if (initgroups(usernm, e->gid) != 0)
+					_exit(ERROR_EXIT);
+				/*NOTREACHED*/
 # endif
-				setlogin(usernm);
-				setuid(e->uid);         /* we aren't root after this..*/
+				if (setlogin(usernm) != 0)
+					_exit(ERROR_EXIT);
+				/*NOTREACHED*/
+				if (setuid(e->uid) != 0)
+					_exit(ERROR_EXIT);
+				/*NOTREACHED*/
+				/* we aren't root after this..*/
 #if defined(LOGIN_CAP)
 			}
 			if (lc != NULL)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20060601/062e9726/attachment.pgp
