IRIX crontab problems

te: Wed, 7 May 1997 05:48:00 -0500
From: Yuri Volobuev <volobuev@T1.CHEM.UMN.EDU>
To: BUGTRAQ@NETSPACE.ORG
Subject: Irix: misc

[...]


3. root crontab

Though suid programs are the most common source of exploits, there're 
other
places to look.  root's crontab on Irix contains various items.  For
example, it has several entries that do recursive find+rm.  The dangers of
this were discussed on Bugtraq a while back.  As far as I remember, it
allows to remove arbitrary files on the system by exploiting race 
condition
in find in connection with symlinks.  Also, cron runs /usr/etc/fsr weekly 
on
Sun morning.  fsr is disk defragmentation tool, it writes positions where 
it
left off to file /usr/tmp/.fsrlast.  It's merely a DOS threat because of 
the
contents of the file, I can't see any easy way to get root out of it.  Fix
is simple: edit root's crontab and add -f /var/adm/.fsrlast option to fsr.
This problem is not particularly dangerous because /usr/tmp is never 
cleaned
up, so .fsrlast, once written, will stay there forever, effectively
preventing people from replacing it with symlink.  But on brand new boxes 
it
may cause bad things. Some interesting results may be obtained by feeding
properly constructed .fsrlast to fsr, but I didn't look closely at it.