Cor wrote > > > One of the bugs I found and reported to Vixie about a year ago regarding > his vixiecron, was that you could do the following: > > MAILTO="whatever; /bin/cp /bin/sh /tmp; chmod 4777 /tmp/sh" > > He fixed this, and with it introduced a new bug we also reported. > I can't really remember the details, but it had something to do with > a temporary file he was using, that you could predict, and thus link > to /etc/master.passwd or something. > I heard that there were three mayor security holes in previous versions of VixieCron. Two of them I know, the one you cor described (with MAILTO) and the one using the '-r' switch: crontab -r /etc/master.passwd crontab -l Anyone knows the third? Is it, like Cor said, with a tempfile? > Cor Ivo PS: To fix these bugs (or at least, to disable them): You can disable the MAILTO bug by denying access (/var/spool/cron/{allow,deny} I think). To disable the bug in crontab (-r), you will probably have to remove the setuid bit. As far as I know, upgrading to the latest version (3.*) should also be safe (though I never checked this version for bugs) -- ------------------------------------------------------------------------ Name: Ivo van der Wijk | It won't give up it wants me dead Internet: irvdwijk@cs.vu.nl | this goddamn noise inside my head IRC: VladDrac | |\|||/| URL: http://www.hut.nl/users/ivo ------------------------------------------------------------------------