On Thu, Apr 11, 2002 at 01:29:28PM +0200, Przemyslaw Frasunek wrote: > default root crontab entry looks like: > > # do daily/weekly/monthly maintenance > # on monday only (techie) > 30 1 * * 1 /bin/sh /etc/daily 2>&1 | tee /var/log/d > aily.out | mail -s "`/bin/hostname` daily output" root > 30 3 * * 6 /bin/sh /etc/weekly 2>&1 | tee /var/log/ > weekly.out | mail -s "`/bin/hostname` weekly output" root > 30 5 1 * * /bin/sh /etc/monthly 2>&1 | tee /var/log/monthly.out | mail -s "`/bin/hostname` monthly output" root Dangerous stuff. (The same applies to much of /etc/security on *BSD's.) > Patch: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/mail/collect.c.diff?r1=1.23&r2=1.24 The bug appears to have been introduced before OpenBSD 2.9 (in January, 2001), with this commit message: Changes from Don Beusee: [...other changes skipped...] o tilde commands work regardless of interactive mode. The mailx (/bin/mail) on Owl is derived from OpenBSD 2.7 code and thus doesn't contain this vulnerability. (Should sync with the new OpenBSD code eventually, but as we can see doing a sync blindly would be worse than not doing it at all for a while longer.) We also don't have cron jobs like this. -- /sd
This archive was generated by hypermail 2b30 : Thu Apr 11 2002 - 16:17:47 PDT