I recently watched the following great talk on hacking laravel apps.
Towards the end of the talk Antti shows how it is possible to potentially gain root access to a server if your scheduler is running as root too.
As soon as I saw it I know I had a couple of apps where this vulnerability could have been exploited and so went to patch them straight away.
Whilst I knew what needed to be done I wasn’t 100% on how exactly I’d add an entry into another user’s crontab that wasn’t my own or root.
Turns out it was quite simple, acting as root use the
-u argument to specify the target user.
sudo crontab -e -u www-data
In the above example the crontab for the user www-data would be opened. Since my php-fpm instance is run by www-data and therefore has access to all the application code already this made sense to me.
Hopefully I’ll never make this mistake again. If you haven’t already seen Antti’s talk above I’d highly recommend doing so asap!