On Wed, Apr 06, 2005 at 12:00:48PM +0200, Karol Wi?sek wrote: > Details: > > Insufficient checks allows user to change during edition regular file to > symbolic link to any file. While copying crontab uses root permisions, > but also checks entrys, so attacker is only able to read properly > formated crontab files (another users crontabs). Is this not the same bug as: http://cert.uni-stuttgart.de/archive/bugtraq/2000/10/msg00326.html which was fixed in a number of OSs at the time? For example on FreeBSD you get an error that crontabs should be edited in place. David. 22:23:kac 18% setenv EDITOR /tmp/c 22:23:kac 19% crontab -e /tmp/crontab.nW9oUGhN18 $ unlink /tmp/crontab.nW9oUGhN18 $ ln -s /var/cron/tabs/root $ set -E $ ln -s /var/cron/tabs/root /tmp/crontab.nW9oUGhN18 $ exit crontab: temp file must be edited in place 22:24:kac 20% uname FreeBSD
