Cron security hole; admins take note - (nf)

ajs at hpfcla.UUCP ajs at hpfcla.UUCP
Sat Dec 10 18:44:05 AEST 1983 

#N:hpfcla:23400003:000:2291
hpfcla!ajs    Dec  8 12:50:00 1983

Subject:  cron security hole (system administrators please note)

This is an expansion on an earlier  article about breaking into a system
via an insecure  cron.  It's not enough to just protect  crontab and the
directory it lives in.  To be completely safe, all portions of all paths
crontab and to all files it executes  (including  "/" too!) must also be
secure.  Otherwise  it's  possible  to use mv(1) (and maybe  mkdir(1) at
some level) to substitute a dummy crontab or replace a command  executed
by cron.  Either way, the result is a Trojan horse program  running with
superuser privileges.

I wrote a little  shell  script  which uses awk(1) to help you check all
such paths.  The script extracts from crontab everything that looks like
a pathname and lists the sorted,  uniq'd list of pathnames  and portions
thereof,  including  "/" and the path to crontab.  All you have to do is
skim the output looking for any filename (directory OR command) which is
writable  by the  general  public,  or by any  user or  group  which  is
accessible by the general public.

Alan Silverstein, Hewlett-Packard Fort Collins Systems Division, Colorado
ucbvax!hplabs!hpfcla!ajs, 303-226-3800 x3053, N 40 31'31" W 105 00'43"

------------ cronck.sh --------------

# Shell script to check security on files referenced by crontab.


# Initialize:

	PATH=/bin:/usr/bin
	file=/usr/lib/crontab			# file to read.
	temp=/tmp/cronck$$			# temp file for partial results.
	trap "rm -f $temp; trap '' 0; exit" 0 1 2 3

# Find pathnames, emit each part of each path, and sort and uniq results:

	echo / $file	|			# check "/" and file itself.
	cat  - $file	|			# plus its contents.
	awk '{
		split ($0, words);			# separate words.
		for (w in words)			# do each word.
		{
		    word = words[w];			# quick value.
		    while (index (word, "/"))		# contains "/".
		    {
			print word;			# print current path.
			for (pos = length (word); pos; pos--)	# find last "/".
			    if (substr (word, pos, 1) == "/")
				break;				# found one.
			if (pos < 2)			# none or "/xxx" only.
			    break;
			word = substr (word, 1, pos - 1);	# trim "/xxx".
		    }
		}
	}'		|
	sort		|
	uniq		>$temp

# Check the list of files (for now just list them as directories):

	ls -ld `cat $temp`
----------------- end ---------------

More information about the Comp.unix.wizards mailing list