Join Log in
Score:0
magicsux avatar Ubuntu

Any user can change roots' crontab

ve flag
magicsux

I wrote a simple php crontab management program that updated the crontab of 'someuser' like so

crontab -u someuser /path/to/new/cronfile

however I was in need to run some php scripts as root so I decided to edit roots' crontab instead and add the required user field to each script:

crontab -u root /path/to/new/cronfile

Surprisingly that worked! I was really wondering how that can be possible and checked /etc/crontab for its' permissions.` rw-r--r--

Well, how can any user run various planned scripts on roots behalf and with access to every single user?

That must be a bug, is it?

// edit (added php script due to comments)

$crontabCacheFile = PATH_CACHE . 'crontab.cache';
$cronFile = PATH_ROOT . '.crontab';
if(!is_file($crontabCacheFile) || (filemtime($cronFile) > filemtime($crontabCacheFile))) {
    # install new cronfile
    if(false === $result = system("crontab -u root $cronFile"))
        logWrite("failed to install new crontab $cronFile", true);
    else
        file_put_contents($crontabCacheFile, date('Y-m-d H:i:s') . " installed new crontab $result\n", FILE_APPEND);
}

The script is running on www user (that owns PATH_* directories in /var/www/projectdir)

lsb_release -a spits out:

No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 18.04.6 LTS
Release:        18.04
Codename:       bionic
91
1 + 4
php
guiverc avatar
cn flag
guiverc
You've provided no OS/release details. My own Ubuntu system will report "*must be privileged to use -u*" and thus nothing can be done; what OS & release are you using
1
Reply
Raffa avatar
jp flag
Raffa
"*Well, how can any user run various planned scripts on roots behalf and with access to every single user?*" ... No normal user can do that unless with admin privileges e.g. `sudo crontab -u ....` ... Who is the owner of your PHP script and how do you run it? Are you running it with admin privileges? If yes, then the code/commands inside it will inherit their privileges from that.
2
Reply
hr flag
steeldriver
AFAIK the `crontab` command modifies files in `/var/spool/cron/crontabs`, rather than the system-wide `/etc/crontab` file. Regardless, it shouldn't even be possible to use the `-u` option unless you are already root.
0
Reply
magicsux avatar
ve flag
magicsux
I've edited the thread accordingly for the comments. BTW: also `/var/spool/cron/crontabs`-subfiles is only accessible by their respective owners. it still works though...
0
Reply
Score:1
avatar Ubuntu
gb flag
Alex

There might be a confusion due to the way you wrote your PHP script. You checking for a return of exactly false, but the system() call would return an empty string, even if it fails (because the error message is printed on STDERR, not STDOUT).

So did you check that your crontab indeed gets installed? Or are you just checking the absence of the "failed to install..." message int he log?

I checked it like this:

php -a
php > if (false === system('crontab -u root /tmp/foo')) echo "false returned"; else echo "not false returned";
must be privileged to use -u
not false returned

This returns an error, but still goes to the else branch of the if!

If you use == for comparison it would log message:

php > if (false == system('crontab -u root /tmp/foo')) echo "false returned"; else echo "not false returned";
must be privileged to use -u
false returned

But you would better check the return code ...

system("crontab -u root $cronFile", $result)

if ($result === 0) //success
+ 1
magicsux avatar
ve flag
magicsux
you are totally right. it did shut down all jobs immediately and I thought it was completed successfully.
1
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.