crontab and sgid (was: nonsuid overflows... still at risk?)

[Tomasz Grabowski <cadence () apollo aci com pl>]

On Wed, 6 Jun 2001, Michal Zalewski wrote:

> On Wed, 6 Jun 2001, KF wrote:
>
> > exactly what I was thinking... crontab -e calls vi to open the users
> > crontab... this is why I was wondering if it could be exploited due to
> > the fact that crontab is suid.
>
> Not really. As long as crontab itself is not broken, it should invoke vi
> without additional priviledges.

While there is discussion about crontab...
'crontab' should only be suid and *no* sgid I know that, but I think it
should be common practice that if You are using suids in Your software You
should check both euid and egid. Just in case someone screwed something
up.

I saw this situation few times on Unix systems - 'crontab' was suid and
sgid to root. In this situation You can use $EDITOR to execute something
with euid=root.
I don't know why there was sgid. 
Maybe the reason was one of the following:
- broken RPM
- bad practice:if You want to remove suid bit You simply type 'chmod a-s',
but after that if You want to set that bit back You can sometimes do
'chmod a+s' instead of 'chmod u+s'.
- some kind of backdoor
- something wrong with the distributon itself

I'am wondering if someone too saw sgid bit on the 'crontab' binary and can
tell us what is the reason of that situation?


---
Tomasz Grabowski  (0-91)4333950
Akademickie Centrum Informatyki
mailto:cadence () man szczecin pl