From owner-freebsd-security@FreeBSD.ORG Tue Aug 10 19:40:28 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4031D16A4CE; Tue, 10 Aug 2004 19:40:28 +0000 (GMT) Received: from pd3mo2so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id B9F4843D2D; Tue, 10 Aug 2004 19:40:27 +0000 (GMT) (envelope-from gbaratto@superb.net) Received: from pd4mr2so.prod.shaw.ca (pd4mr2so-qfe3.prod.shaw.ca [10.0.141.213]) by l-daemon (iPlanet Messaging Server 5.2 HotFix 1.18 (built Jul 28 2003)) with ESMTP id <0I2800JGQWZDTI@l-daemon>; Tue, 10 Aug 2004 13:33:13 -0600 (MDT) Received: from pn2ml6so.prod.shaw.ca ([10.0.121.150]) by pd4mr2so.prod.shaw.ca (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0I28009DUWZCPY50@pd4mr2so.prod.shaw.ca>; Tue, 10 Aug 2004 13:33:12 -0600 (MDT) Received: from chivas (S01060080c8118809.vc.shawcable.net [24.85.89.252]) by l-daemon (iPlanet Messaging Server 5.2 HotFix 1.18 (built Jul 28 2003)) with SMTP id <0I2800D5FWZBED@l-daemon>; Tue, 10 Aug 2004 13:33:12 -0600 (MDT) Date: Tue, 10 Aug 2004 12:32:56 -0700 From: "Gustavo A. Baratto" To: Xin LI , Doug Barton , Garance A Drosihn Message-id: <002401c47f10$d6f98ea0$6400a8c0@chivas> MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 X-Mailer: Microsoft Outlook Express 6.00.2800.1437 Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: 7bit X-Priority: 3 X-MSMail-priority: Normal References: <20040810161305.GA161@frontfree.net> <20040810095953.H1984@qbhto.arg> <20040810181039.GA3189@frontfree.net> cc: freebsd-security@freebsd.org Subject: Re: [PATCH] Tighten /etc/crontab permissions X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Aug 2004 19:40:28 -0000 It is better to have something secure by default. If someone wants to open up the crontab in /etc/crontab for other users to see it, he/she can do it on his/her own risk. Many ppl that are not very familiar with system administration nor security, but yet manage a server could add cronjobs that could be very harmful to themselves and they don't know (eg. mysqldump for backups with the password hardcoded in the command). Maybe, the purpose of /etc/crontab is exactly to be a read-by-all file. That's fine, but in this case, a security warning with BIG letters should be printed in the very beginning of the file. my $0.02 ;) ----- Original Message ----- From: "Garance A Drosihn" To: "Xin LI" ; "Doug Barton" Cc: Sent: Tuesday, August 10, 2004 12:01 PM Subject: Re: [PATCH] Tighten /etc/crontab permissions > At 2:10 AM +0800 8/11/04, Xin LI wrote: > > > >On Tue, Aug 10, 2004 at 10:02:09AM -0700, Doug Barton wrote: > >> > > > Can you elaborate on your thinking? > > > >I'm not sure if this is a sort of abusing systemwide crontabs, but > >the administrators at my company have used them to run some tasks > >periodicly under other identities (to limit these tasks' privilege), > >and it provided a somewhat "centralized" management so they would > >prefer to use systemwide crontab rather than per-user ones. > > You could get about the same effect by having them all under root's > crontab, and then having the entry 'su' to the appropriate userid > before running. So it is centralized in one crontab (root's), but > it is protected from prying eyes. > > >What do you think about the benefit for users being able to see > >the system crontab? I think knowing what would be executed under > >others' identity is (at least) not always a good thing, especially > >the users we generally don't fully trust... > > For generic system tasks, it can be useful to know when they run. > Maybe this means more to me because I'm actually awake at all odd > hours of the morning, so I notice the effects of some of those > runs. My runs of 'cvsup_mirror', for instance. > > Basically, I use the system crontab for events where I think it > is safe for every user to know when the events occur, and use > other crontabs for the things I want to keep private. Just a > personal preference thing, obviously. > > -- > Garance Alistair Drosehn = gad@gilead.netel.rpi.edu > Senior Systems Programmer or gad@freebsd.org > Rensselaer Polytechnic Institute or drosih@rpi.edu > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >