[Bug 185531] Review Request: fcron, a task scheduler

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.

Summary: Review Request: fcron, a task scheduler


https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=185531





------- Additional Comments From fcron@xxxxxxx  2006-03-23 15:13 EST -------
(In reply to comment #23)
> I have tried to run fcrontab. To avoid a warning, I made a patch I attach.

Your patch is very dangerous on the security point of view.
As a matter of fact, you don't check that the file is not writable
by someone else than root.
As a result, if the administrator makes a mistake and the rights
of fcron.conf become -rw-rw-rw (or -rw-rw--- if the attacker
is able to compromise say fcrontab), then an attacker could
change the sendmail line to something as:
sendmail = /my/dangerous/program
and /my/dangerous/program would be executed as root by fcron.

The strict test is here to avoid this ...

By the way, why would you like the group or the user to be able
to write in /etc/fcron.conf ??
If you just want anyone to be able to read /etc/fcron.conf
so as to remove a suid bit to fcrondyn, then you don't need 
this patch... just set the rights of the file to be 644 !

> But
> unfortunately fcrontab don't work, as root or as a user.
> 
> As root:
> [root@localhost log]# fcrontab /etc/crontab 
> 22:51:51 Could not authenticate user using PAM (4): System error
> 
> As a user:
> 22:49:06 Could not change egid to fcron[505]: Operation not permitted
> 
> Nothing appears in logs.

fcrontab needs the suid bit for the group too, so its rights should be 6755 
and not 4755 as in your patch.
(but I'm not sure about the PAM error as root: it may be something else).

-- 
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.

-- 
fedora-extras-list mailing list
fedora-extras-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-extras-list

[Index of Archives]     [Fedora General Discussion]     [Fedora Art]     [Fedora Docs]     [Fedora Package Review]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite Backpacking]     [KDE Users]

  Powered by Linux