richmon@astrovax.UUCP (Michael Richmond) (08/29/85)
The accounting package I advertised a while back has been posted to net.sources. Have fun with it, and let me know if I screwed up again. There is a security problem with the at command I posted earlier: because the atrun program gets the uid and gid it should set things to from the file in /usr/spool/at, a user can use 'chown' to make a file he submitted be owned by anyone (i.e. root) and so executed with that uid! Obviously, this is not desireable if there are any untrustworthy types who would be using the system. One fix is to make the directory /usr/spool/at unwriteable, so that people can't change files once they are submitted, but this is annoying if you discover that you already did a long job and want to stop the one you just submitted. I am working on a version that will check the integrity of each command file in /usr/spool/at via a private little file with some stuff in it BEFORE running anything, but it strikes me to be a hack. Still, I'll repost the whole thing when I'm done. The real problem is System V's 'chown' command (so those systems without it, ignore all this); can anyone think of some cleaner way? -- Michael Richmond Princeton University, Astrophysics {allegra,akgua,burl,cbosgd,decvax,ihnp4,noao,princeton,vax135}!astrovax!richmon
guy@sun.uucp (Guy Harris) (08/31/85)
> There is a security problem with the at command I posted earlier: > because the atrun program gets the uid and gid it should set things > to from the file in /usr/spool/at, a user can use 'chown' to make > a file he submitted be owned by anyone (i.e. root) and so executed > with that uid!... The real problem is System V's 'chown' command > (so those systems without it, ignore all this); can anyone think > of some cleaner way? "chown" system call, not command, actually. Yes, there is a cleaner solution, which is used by the System V "at" command (yes, it has one, but if the PC 7300 doesn't have it I have no idea why; things like "cron" and "at" are useful even on single-user machines). Have "at" turn the set-UID bit on for all scripts, and have "atrun" require that bit to be on. "chown"s not done by the super-user cause the set-UID bit to be turned off (obviously). Guy Harris