Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: vixie cron possible local root compromise

From: gabriel rosenkoetter <gr () ECLIPSED NET>
Date: Mon, 12 Feb 2001 13:12:02 -0500
On Sun, Feb 11, 2001 at 12:38:02AM +0100, Flatline wrote:

When crontab has determined the name of the user calling crontab (using
getpwuid()),
the login name is stored in a 20 byte buffer using the strcpy() function
(which does no bounds checking). 'useradd' (the utility used to add users
to the system)
however allows usernames of over 20 characters (32 at most on my distribution).

Therefore, running crontab as a user whose login name exceeds 20 characters
crashes it.


Then your useradd is broken and doing improper bounds checking.

I'm not sure why Vixie chose 20 characters, but it should be enough,
since usernames longer than 8 characters should not be expected to
behave properly. (They system won't know they're unique.) This is a
POSIX thing, last I heard.

       ~ g r @ eclipsed.net
Previous By Date Next
Previous By Thread Next

Current thread: