klehr@sun.soe.clarkson.edu (Thomas J. Klehr) (05/27/90)
The versions of at and atrun in V1.5.10 appear to have a few problems in them. In atrun, the group and user are set to each other. Since, atrun changes to the user and group of the file owner in /usr/spool/at/*, at has to change the owner of the file it creates after it's done making it. If at is setuid root, and atrun is either setuid root, or run only by root (via cron), it will now perform as expected. Below are my cdiffs to fix both at.c and atrun.c for version 1.5.10. ------------------------------------------------------------------------------- begin 600 atfix.tar.Z M'YV-8>BX&$,FC1D "!,J7,BPH<.'$"-*G(@0A$4;-&B & 11 P:-39V_*B1 M8\>1-6#$L$C#AHP;,V3,H#%CI4<8,&=PA$&QI\^?0(,"J#.'3A@Y%@&L85,& MC1RA#8F6D3,'JM6K6+-JW<J5HHJO(%X0E?-BCIPQ+\:\:=,FC!LR<UX$')B M2ITR()J$R0-"A@R/,734U!$C9(P<.6 H:,$8Q-PQ"8S(29-W;]^0,@+'L"$8 MAD?$BK^*'DU:A0+1(&:PP %B].+&JG. 8,Q8@<41:=R,85.'#%X><_+$I9,' M3IDY+M#XL T"MV[>OD'PH).F39GDRV_GWMW[MYDQ;NBPP:Y@1?/MT'_7<9.F M*!GRVI]WE^X^S1OX()B/\&TF=YD$4U 1A!14$!%$%@G D, +*H P1QEXC4&= M=2C,D$("K;UP6FD<FH9:#""R .(-K8G&7 )FP#%9>&:@D"(+((A0PAQ<N"$" MC$>=8<<6.8XQFT==I+ #<Q:5P<:#"22Y8(-RE!$&&2"8(<=:#M)1D!MPU$%' MAB?>@48:3(& @H^]@#"&670,08:1Z&00@H@A&!F$4\8 6>6:I()8XI"*A!" M?B>IF!L=+<HXAPX@S C"&$T&5 89-=[HF!PZ;@%#%S"J\888?9Y4!AYIT($" M#)V"T,=K+0 F@XB9S4;;B2FN2*B+<,!H:*0X4KICCS_&$.20GA[YGY(,@M H ME%)261^66G)I40)>@HG7F&6>F>::;;X9YYQUWJGE&'I&"4>??UKT'1MO/$@K MN?F5"X)!8J[YQAUNH*"I&#"B24<=:9#A9KYIGM&OFW#V8&8+,:3@)P@)K,=& M;FO8NZF028;5H)$/@D '&E-%^$8=;$ I!EYA.%C&&'5,1AP(:+P1I@H:!BIK MH3,BJBBC3M+Q**Z35GIIIA,#V]&GH8Y:ZJE=):WTTDPWC5! <JPW4$$'.6TU M4!UA5-)(((ED$4E>G^31##.QY!),,LE0PU^ M53#3E?'G1511B&UT5)-/:65 M5%3)[???@ >^$&IBF57666FMU=9;<4$M-61VX:477WYYQ%D-..A0^6&)H>H8 M'5&[09=DE$U^65^!R9 Y#:QQ'EJ'I6W8($TLI%3B5R<J"2\*#[L1L8IO@!>& M=3 "/P8<8115L)FD@K#'DB#TO@8(;ZSQ@[,,*]FP&]*C8+P;PY=1JO8)%!60 M]U,>GSP=,)HPAQAUF,$N^0_2(;"_[\?O0E%?\$O&_-JKG_]0D#\S[(\.7[C? M^+3WJ9.Q 04B>($8<E,6-$A*!'.P8/'2A[RBP(A,;$**"N!$*J&1+U:#:I%[ MIB('6QDO47-8E%M.L"7SR8$./#->!^FP0"41350)&Q)M0$ [V]&F!;E+TNZZ M][WP;3!X.UP>")KWO&))CWK6PQ[Y' 8Q] 4/?-;I89+,)RH=KJ]]!02@DNIW M/P+"SX#\4^"0_D2_- VP@ ?L7[_$F( &[@:"$J1@!B\XR">JSX/Q"F%K2,A' M%+*(@%9BH0O3!T,9NH&&53H*#FUDR"B:D(&@ F*?!$?*4IKRE*A,I2I7R<I6 3NO*5L(RE+&=)RUK:\I:XS*4J 6UD end ------------------------------------------------------------------------------- Thomas J. Klehr -- Thomas J. Klehr
SA44@LIVERPOOL.AC.UK (Kevin Maguire) (05/30/90)
At and atrun only need be setgid at. Setting them as uid root is a potential security hole :-( Create a new group at, and make /usr/spool/at and /usr/spool/at/old (or whatever this is called) writable by group at. Kevin Maguire Nsfnet : sa44%liv.ac.uk@nsfnet-relay.ac.uk Uucp : ...!mcsun!ukc!liv-ib!sa44
klehr@sun.soe.clarkson.edu (Thomas J. Klehr) (05/31/90)
In article <90150.164149SA44@LIVERPOOL.AC.UK> SA44@LIVERPOOL.AC.UK (Kevin Maguire) writes: >At and atrun only need be setgid at. Setting them as uid root is a potential >security hole :-( Create a new group at, and make /usr/spool/at and >/usr/spool/at/old (or whatever this is called) writable by group at. But, the "atrun" program uses setuid() and setgid() to make the process run as if the person who made it (via at) had done it himself. Likewise, "at" must chown() the new file in order to save the user's uid and gid. If "at" was setgid() only, then the file created would have "at"'s gid, and when it ran from "atrun" (if atrun is setuid root), it might be able to do something it isn't supposed to do, like "rm -rf /usr/spool/at". If it doen't matter who owns the process atrun forks, then using a new group will work fine. If, however, at.c and atrun.c are both written correctly (and I'm not saying that they're not now), then setuid root should not create any problems. If you look at the diffs I posted for at.c, you'll see that it unlinks any file that it can't chown correctly. If it didn't, the file would still be owned by root, and when atrun came along, it would run it as if root created it. I would like to remind you that, according to V1.5.10's fixbin.sh, that "at" was designed to be setuid root. And since "atrun" uses setuid() and setgid(), it should only be used by root (I have it run from cron, which is owned by root). Tom -- Thomas J. Klehr