From owner-freebsd-security@FreeBSD.ORG Tue Aug 10 16:43:27 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 921DD16A4CE for ; Tue, 10 Aug 2004 16:43:27 +0000 (GMT) Received: from mail.freebsd.org.cn (dns3.freebsd.org.cn [61.129.66.75]) by mx1.FreeBSD.org (Postfix) with SMTP id 1D57543D2F for ; Tue, 10 Aug 2004 16:43:26 +0000 (GMT) (envelope-from delphij@frontfree.net) Received: (qmail 91057 invoked by uid 0); 10 Aug 2004 16:40:53 -0000 Received: from unknown (HELO beastie.frontfree.net) (219.239.98.7) by mail.freebsd.org.cn with SMTP; 10 Aug 2004 16:40:53 -0000 Received: from localhost (localhost.frontfree.net [127.0.0.1]) by beastie.frontfree.net (Postfix) with ESMTP id 07C8A11513 for ; Wed, 11 Aug 2004 00:13:10 +0800 (CST) Received: from beastie.frontfree.net ([127.0.0.1]) by localhost (beastie.frontfree.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 03861-03 for ; Wed, 11 Aug 2004 00:13:06 +0800 (CST) Received: by beastie.frontfree.net (Postfix, from userid 1001) id 9408911462; Wed, 11 Aug 2004 00:13:05 +0800 (CST) Date: Wed, 11 Aug 2004 00:13:05 +0800 From: Xin LI To: freebsd-security@FreeBSD.org Message-ID: <20040810161305.GA161@frontfree.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="XF85m9dhOBO43t/C" Content-Disposition: inline User-Agent: Mutt/1.4.2.1i X-GPG-key-ID/Fingerprint: 0xCAEEB8C0 / 43B8 B703 B8DD 0231 B333 DC28 39FB 93A0 CAEE B8C0 X-GPG-Public-Key: http://www.delphij.net/delphij.asc X-Operating-System: FreeBSD beastie.frontfree.net 5.2-delphij FreeBSD 5.2-delphij #3: Fri Jul 30 20:01:43 CST 2004 delphij@beastie.frontfree.net:/usr/obj/usr/src/sys/BEASTIE i386 X-URL: http://www.delphij.net X-By: delphij@beastie.frontfree.net X-Location: Beijing, China X-Virus-Scanned: by amavisd-new at frontfree.net Subject: [PATCH] Tighten /etc/crontab permissions X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Aug 2004 16:43:27 -0000 --XF85m9dhOBO43t/C Content-Type: multipart/mixed; boundary="CE+1k2dSO48ffgeK" Content-Disposition: inline --CE+1k2dSO48ffgeK Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi folks, While investigating OpenBSD's cron implementation, I found that they set the systemwide crontab (a.k.a. /etc/crontab) to be readable by the superuser only. The attached patch will bring this to FreeBSD by moving crontab out from BIN1 group and install it along with master.passwd. This change should not affect the current cron(1) behavior. Cheers, --=20 Xin LI http://www.delphij.net/ See complete headers for GPG key and other information. --CE+1k2dSO48ffgeK Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=patch-etc-Makefile Content-Transfer-Encoding: quoted-printable Index: Makefile =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/fcvs/src/etc/Makefile,v retrieving revision 1.327 diff -u -r1.327 Makefile --- Makefile 23 Mar 2004 22:17:34 -0000 1.327 +++ Makefile 10 Aug 2004 06:03:59 -0000 @@ -6,7 +6,7 @@ .endif =20 BIN1=3D amd.map apmd.conf auth.conf \ - crontab csh.cshrc csh.login csh.logout devd.conf devfs.conf \ + csh.cshrc csh.login csh.logout devd.conf devfs.conf \ dhclient.conf disktab fbtab ftpusers gettytab group \ hosts hosts.allow hosts.equiv hosts.lpd \ inetd.conf login.access login.conf \ @@ -73,7 +73,7 @@ ${INSTALL} -o ${BINOWN} -g ${BINGRP} -m 755 \ ${BIN2} ${DESTDIR}/etc; \ ${INSTALL} -o ${BINOWN} -g ${BINGRP} -m 600 \ - master.passwd nsmb.conf opieaccess ${DESTDIR}/etc; \ + crontab master.passwd nsmb.conf opieaccess ${DESTDIR}/etc; \ pwd_mkdb -p -d ${DESTDIR}/etc ${DESTDIR}/etc/master.passwd cd ${.CURDIR}/bluetooth; ${MAKE} install cd ${.CURDIR}/defaults; ${MAKE} install --CE+1k2dSO48ffgeK-- --XF85m9dhOBO43t/C Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (FreeBSD) iD8DBQFBGPQROfuToMruuMARAoTqAJkBHDBzhA/syFnozOSSVguF6rDAEACffdM1 dKvIfI0ua19FCrBFg41KksM= =uVB3 -----END PGP SIGNATURE----- --XF85m9dhOBO43t/C--