Re: vixie cron possible local root compromise

[Alfred Perlstein <bright () WINTELCOM NET>]

* Andrew Brown <atatat () ATATDOT NET> [010213 14:38] wrote:
> > When crontab has determined the name of the user calling crontab (using
> > getpwuid()),
> > the login name is stored in a 20 byte buffer using the strcpy() function
> > (which does no bounds checking). 'useradd' (the utility used to add users
> > to the system)
> > however allows usernames of over 20 characters (32 at most on my distribution).
>
> i can see how this is an "issue", but don't you already have to be
> root to get a user name longer than 20 characters?  or are you just
> assuming that some admins out there will fail to balk at such a
> strange request?

I vaguely remeber some packages that allow non-root users to add
other non-root users, if the wrapper script/program isn't careful
about limiting the username someone trusted to do account additions
may gain root if this is exploitable.

--
-Alfred Perlstein - [bright () wintelcom net|alfred () freebsd org]
"I have the heart of a child; I keep it in a jar on my desk."