From owner-freebsd-security@FreeBSD.ORG Tue Aug 10 19:01:33 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D400616A4CE; Tue, 10 Aug 2004 19:01:33 +0000 (GMT) Received: from smtp3.server.rpi.edu (smtp3.server.rpi.edu [128.113.2.3]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2398943D39; Tue, 10 Aug 2004 19:01:33 +0000 (GMT) (envelope-from drosih@rpi.edu) Received: from [128.113.24.47] (gilead.netel.rpi.edu [128.113.24.47]) by smtp3.server.rpi.edu (8.13.0/8.13.0) with ESMTP id i7AJ1Vmo025789; Tue, 10 Aug 2004 15:01:32 -0400 Mime-Version: 1.0 X-Sender: drosih@mail.rpi.edu Message-Id: In-Reply-To: <20040810181039.GA3189@frontfree.net> References: <20040810161305.GA161@frontfree.net> <20040810095953.H1984@qbhto.arg> <20040810181039.GA3189@frontfree.net> Date: Tue, 10 Aug 2004 15:01:30 -0400 To: Xin LI , Doug Barton From: Garance A Drosihn Content-Type: text/plain; charset="us-ascii" ; format="flowed" X-Scanned-By: CanIt (www . canit . ca) cc: freebsd-security@freebsd.org Subject: Re: [PATCH] Tighten /etc/crontab permissions X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Aug 2004 19:01:34 -0000 At 2:10 AM +0800 8/11/04, Xin LI wrote: > >On Tue, Aug 10, 2004 at 10:02:09AM -0700, Doug Barton wrote: >> > > Can you elaborate on your thinking? > >I'm not sure if this is a sort of abusing systemwide crontabs, but >the administrators at my company have used them to run some tasks >periodicly under other identities (to limit these tasks' privilege), >and it provided a somewhat "centralized" management so they would >prefer to use systemwide crontab rather than per-user ones. You could get about the same effect by having them all under root's crontab, and then having the entry 'su' to the appropriate userid before running. So it is centralized in one crontab (root's), but it is protected from prying eyes. >What do you think about the benefit for users being able to see >the system crontab? I think knowing what would be executed under >others' identity is (at least) not always a good thing, especially >the users we generally don't fully trust... For generic system tasks, it can be useful to know when they run. Maybe this means more to me because I'm actually awake at all odd hours of the morning, so I notice the effects of some of those runs. My runs of 'cvsup_mirror', for instance. Basically, I use the system crontab for events where I think it is safe for every user to know when the events occur, and use other crontabs for the things I want to keep private. Just a personal preference thing, obviously. -- Garance Alistair Drosehn = gad@gilead.netel.rpi.edu Senior Systems Programmer or gad@freebsd.org Rensselaer Polytechnic Institute or drosih@rpi.edu