Vulnerability

    crontab


Affected

    FreeBSD 2.1.0 and possibly others

Description

    /usr/libexec/locate.updatedb is  called from  /etc/weekly. It  has
    _exactly_  the  same  problem  as  /etc/security with it's opening
    temp files.  By default,  it uses  /var/tmp instead  of /tmp,  but
    they're both mode  1777 so it  doesn't make any  difference. I was
    able to  overwrite my  own /etc/master.passwd  by just  creating a
    symlink (as a normal user) and running locate.updatedb (as  root).
    I  don't  know  if  the  content  of  the files can be manipulated
    enough to gain  root, but users  being able to  munge any file  on
    the system is  not a Good  Thing.  Credit  for this goes  to Steve
    Reid.

Solution

    The  easiest  fix  for  this  is  the  same as the easiest fix for
    /etc/security:   use  a  root-only  directory  such  as   /var/run
    instead  of  something  world  writable.  There's a handy line for
    this in the script:

        if (! $?TMPDIR) setenv TMPDIR /var/tmp

    Change it to

        if (! $?TMPDIR) setenv TMPDIR /var/run
                                           ^^^

    or just

        setenv TMPDIR /var/run