From owner-freebsd-hackers Tue Jan 16 23: 4:45 2001 Delivered-To: freebsd-hackers@freebsd.org Received: from gw.gbch.net (gw.gbch.net [203.24.22.66]) by hub.freebsd.org (Postfix) with SMTP id D6B3E37B400 for ; Tue, 16 Jan 2001 23:04:25 -0800 (PST) Received: (qmail 87702 invoked by uid 1001); 17 Jan 2001 17:04:23 +1000 X-Posted-By: GJB-Post 2.09 16-Jan-2001 (FreeBSD) X-URL: http://www.gbch.net X-Image-URL: http://www.gbch.net/gjb/img/gjb-auug048.gif X-PGP-Fingerprint: 5A91 6942 8CEA 9DAB B95B C249 1CE1 493B 2B5A CE30 X-PGP-Public-Key: http://www.gbch.net/gjb/gjb-pgpkey.asc Message-Id: Date: Wed, 17 Jan 2001 17:04:23 +1000 From: Greg Black To: Dan Nelson Cc: Michael Bacarella , hackers@FreeBSD.ORG Subject: Re: Permissions on crontab.. References: <20010117001842.A28301@mmap.nyct.net> <20010117000313.A28355@dan.emsphone.com> In-reply-to: <20010117000313.A28355@dan.emsphone.com> of Wed, 17 Jan 2001 00:03:13 CST Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Dan Nelson wrote: > In the last episode (Jan 17), Greg Black said: > > Michael Bacarella wrote: > > > Why is crontab suid root? > > > > > > I say to myself "To update /var/cron/tabs/ and to signal cron". > > > > > > Could crontab run suid 'cron'? > > > > > > If those are the only two things it needs to do, run cron as gid > > > 'cron' and make /var/cron/tabs/ group writable by 'cron'. > > > > It has to run jobs as the correct user and must be able to setuid > > accordingly. > > Not quite. As far as I can tell, crontab is setuid root for the sole > purpose of being able to write to /var/cron/tabs. Cron checks the > timestamp on the directory every minute, so crontab doesn't have to > signal it for changes to get noticed. Previously, I wrote a bit faster than is good. There are indeed cron implementations where crontab signals cron, and they must be setuid root. However, as noted above, that's not the case with the current FreeBSD implementation. > If you're paranoid, you can > probably "chgrp cron /var/cron/tabs" and make crontab setgid cron > without any ill effects. Cron itself must stay setuid root, of course, > so it can run user crontabs as that user. At least I was not the only person to write hastily. It is not normal for cron to be setuid (and it is not on any BSD machine that I can check right now). It must be run by root, but that is accomplished by starting it from /etc/rc at boot time (or by root re-starting it as needed during normal operation). Dropping the setuid bit on crontab in favour of a setgid cron alternative also means changing the permissions on the /var/cron/tabs directory which is currently only accessible to root. I'm not sure I would want anybody else to have access there. But it would probably work OK. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message