From owner-freebsd-hackers  Tue Jan 16 22: 3:49 2001
Delivered-To: freebsd-hackers@freebsd.org
Received: from dan.emsphone.com (dan.emsphone.com [199.67.51.101])
	by hub.freebsd.org (Postfix) with ESMTP id 1FD0937B401
	for <hackers@FreeBSD.ORG>; Tue, 16 Jan 2001 22:03:32 -0800 (PST)
Received: (from dan@localhost)
	by dan.emsphone.com (8.11.1/8.11.1) id f0H63DD14141;
	Wed, 17 Jan 2001 00:03:13 -0600 (CST)
	(envelope-from dan)
Date: Wed, 17 Jan 2001 00:03:13 -0600
From: Dan Nelson <dnelson@emsphone.com>
To: Greg Black <gjb@gbch.net>
Cc: Michael Bacarella <mbac@mmap.nyct.net>, hackers@FreeBSD.ORG
Subject: Re: Permissions on crontab..
Message-ID: <20010117000313.A28355@dan.emsphone.com>
References: <20010117001842.A28301@mmap.nyct.net> <nospam-3a652ec18b151ad@maxim.gbch.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.3.13i
In-Reply-To: <nospam-3a652ec18b151ad@maxim.gbch.net>; from "Greg Black" on Wed Jan 17 15:33:53 GMT 2001
X-OS: FreeBSD 5.0-CURRENT
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

In the last episode (Jan 17), Greg Black said:
> Michael Bacarella wrote:
> > Why is crontab suid root?
> >
> > I say to myself "To update /var/cron/tabs/ and to signal cron".
> >
> > Could crontab run suid 'cron'?
> >
> > If those are the only two things it needs to do, run cron as gid
> > 'cron' and make /var/cron/tabs/ group writable by 'cron'.
> 
> It has to run jobs as the correct user and must be able to setuid
> accordingly.

Not quite.  As far as I can tell, crontab is setuid root for the sole
purpose of being able to write to /var/cron/tabs.  Cron checks the
timestamp on the directory every minute, so crontab doesn't have to
signal it for changes to get noticed.  If you're paranoid, you can
probably "chgrp cron /var/cron/tabs" and make crontab setgid cron
without any ill effects.  Cron itself must stay setuid root, of course,
so it can run user crontabs as that user.

Or it might need to be setuid for some other reason, since OpenBSD runs
their crontab setuid root, and they usually are pretty
security-paranoid.

-- 
	Dan Nelson
	dnelson@emsphone.com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message