Date: Wed, 17 Jan 2001 12:37:41 +0200 From: Peter Pentchev <roam@orbitel.bg> To: David Malone <dwmalone@maths.tcd.ie> Cc: mbac@mmap.nyct.net, hackers@FreeBSD.org Subject: Re: Permissions on crontab.. Message-ID: <20010117123740.Q364@ringworld.oblivion.bg> In-Reply-To: <20010117102822.B25338@walton.maths.tcd.ie>; from dwmalone@maths.tcd.ie on Wed, Jan 17, 2001 at 10:28:22AM %2B0000 References: <20010117001842.A28301@mmap.nyct.net> <20010117102822.B25338@walton.maths.tcd.ie>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Jan 17, 2001 at 10:28:22AM +0000, David Malone wrote: > On Wed, Jan 17, 2001 at 12:18:42AM -0500, mbac@mmap.nyct.net wrote: > > > Why is crontab suid root? > > > > I say to myself "To update /var/cron/tabs/ and to signal cron". > > > > Could crontab run suid 'cron'? > > > > If those are the only two things it needs to do, run cron as > > gid 'cron' and make /var/cron/tabs/ group writable by 'cron'. > > I'm not sure how much this would help. Being able to write arbitary > crontabs is eqivelent to root access. Making a user or group who > can write cron jobs is almost equivelent to adding a second root > user. It would probably be better to spend the time looking at the > crontab source code for risky bits of code. > > (I guess it provides some protection in the case where you are > making the crontab user read files it shouldn't. If you can make > it write files it shouldn't then you're getting into the root > equivelent area). Currently crontab only allows you to change others' files if you specify the -u option, which in turn is only allowed if you already are the superuser. ..or did you mean some kind of unintended/faulty behavior? Yes, running crontab setgid does open a window of opportunity for errors, but no more, I think, than running it setuid, as it currently is. G'luck, Peter -- Hey, out there - is it *you* reading me, or is it someone else? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010117123740.Q364>