[Secure-testing-team] Bug#864466: cron: group crontab to root escalation via postinst
Salvatore Bonaccorso
carnil at debian.org
Fri Jun 9 05:40:18 UTC 2017
Source: cron
Version: 3.0pl1-127
Severity: important
Tags: security
Hi
There is reported a group crontab to root escalation via the postinst
in Debian and Ubuntu, as stated in the oss-security post:
http://www.openwall.com/lists/oss-security/2017/06/08/3
Our postinst contains:
| # Fixup crontab , directory and files for new group 'crontab'.
| # Can't use dpkg-statoverride for this because it doesn't cooperate nicely
| # with cron alternatives such as bcron
| if [ -d $crondir/crontabs ] ; then
| chown root:crontab $crondir/crontabs
| chmod 1730 $crondir/crontabs
| # This used to be done conditionally. For versions prior to "3.0pl1-81"
| # It has been disabled to suit cron alternative such as bcron.
| cd $crondir/crontabs
| set +e
| ls -1 | xargs -r -n 1 --replace=xxx chown 'xxx:crontab' 'xxx'
| ls -1 | xargs -r -n 1 chmod 600
| set -e
| fi
which can be used for group-crontab-to-root escalation of privileges
as described by Qualys team in the above reference.
(note that for the first issue, we have already the kernel hardening
in place since Debian Wheezy).
Regards,
Salvatore
More information about the Secure-testing-team
mailing list