ajs@hpfcla.UUCP (12/10/83)
#N:hpfcla:23400003:000:2291 hpfcla!ajs Dec 8 12:50:00 1983 Subject: cron security hole (system administrators please note) This is an expansion on an earlier article about breaking into a system via an insecure cron. It's not enough to just protect crontab and the directory it lives in. To be completely safe, all portions of all paths crontab and to all files it executes (including "/" too!) must also be secure. Otherwise it's possible to use mv(1) (and maybe mkdir(1) at some level) to substitute a dummy crontab or replace a command executed by cron. Either way, the result is a Trojan horse program running with superuser privileges. I wrote a little shell script which uses awk(1) to help you check all such paths. The script extracts from crontab everything that looks like a pathname and lists the sorted, uniq'd list of pathnames and portions thereof, including "/" and the path to crontab. All you have to do is skim the output looking for any filename (directory OR command) which is writable by the general public, or by any user or group which is accessible by the general public. Alan Silverstein, Hewlett-Packard Fort Collins Systems Division, Colorado ucbvax!hplabs!hpfcla!ajs, 303-226-3800 x3053, N 40 31'31" W 105 00'43" ------------ cronck.sh -------------- # Shell script to check security on files referenced by crontab. # Initialize: PATH=/bin:/usr/bin file=/usr/lib/crontab # file to read. temp=/tmp/cronck$$ # temp file for partial results. trap "rm -f $temp; trap '' 0; exit" 0 1 2 3 # Find pathnames, emit each part of each path, and sort and uniq results: echo / $file | # check "/" and file itself. cat - $file | # plus its contents. awk '{ split ($0, words); # separate words. for (w in words) # do each word. { word = words[w]; # quick value. while (index (word, "/")) # contains "/". { print word; # print current path. for (pos = length (word); pos; pos--) # find last "/". if (substr (word, pos, 1) == "/") break; # found one. if (pos < 2) # none or "/xxx" only. break; word = substr (word, 1, pos - 1); # trim "/xxx". } } }' | sort | uniq >$temp # Check the list of files (for now just list them as directories): ls -ld `cat $temp` ----------------- end ---------------