|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Tzafrir Cohen (tzafrir
technion.ac.il)Date: Wed Feb 21 2001 - 18:54:54 CST
On Wed, 21 Feb 2001, Stefan Siegel wrote:
> Am 2001-02-21, um 21:05:08 (-0700) schrieb das Linux Mandrake Security Team:
> > ________________________________________________________________________
> >
> > Linux-Mandrake Security Update Advisory
> > ________________________________________________________________________
> >
> > Package name: vixie-cron
> > Date: February 20th, 2001
> > Advisory ID: MDKSA-2001:022
> >
> > Affected versions: 6.0, 6.1, 7.0, 7.1, 7.2, Corporate Server 1.0.1
> > ________________________________________________________________________
> >
> > Problem Description:
> >
> >A buffer overflow exists in the 'crontab' command if it was called by
> >a user with a username longer than 20 characters. If the system
> >administrator has created usernames of that length, it would be
> >possible for those users to gain elevated privileges.
>
> As my machine does not run 24h/d I wanted to remove this package
This is a bit of over-reaction. If you fear local exploits, unset the suid
bit of the crontab executable, or make it executable only to a certain
group of users.
No point of removing the cron daemon itself.
[Is that correct?]
> (anachron is installed ...).
Anacron handles daily, weekly etc. jobs. But cron is used for many other
things. It is really a basic component of a linux system.
> I was really surprised to see that there
> are dependency problems:
>
> +-----------------------------------------------------------------------
> |rootmenhir[~] rpm -e vixie-cron
> |Fehler: Das Enfernen dieser Pakete würde Paket-Abhängigkeiten missachten:
> | vixie-cron wird von basesystem-7.2-1mdk gebraucht
> | vixie-cron >= 3.0.1-31 wird von modutils-2.3.21-1.3mdk gebraucht
> +-----------------------------------------------------------------------
>
> OK, "basesystem" has only a virtual dependency which could (and should)
> be replacedby "cron" and thus provided by "anachron" as by "vixie-cron"
> package.
You may be right about replacing 'vixie-cron' with 'cron', as there are
some vixie-cron replacements. However anacron is not one of them.
For instance: anacron will not run jobs from /etc/cron.hourly every hour.
> Why does modutils need "vixie-cron >= 3.0.1-31" ???
$ rpm -ql modutils |grep cron
/etc/cron.d/kmod
$ cat /etc/cron.d/kmod
# rmmod -a is a two-hand sweep module cleaner
*/10 * * * * root /sbin/rmmod -as
Thus the modutils uses cron to clean uneeded modules every 10 minutes.
-- Tzafrir Cohen mailto:tzafrir
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]