Date: Tue, 10 Aug 2004 12:32:56 -0700 From: "Gustavo A. Baratto" <gbaratto@superb.net> To: Xin LI <delphij@frontfree.net>, Doug Barton <DougB@freebsd.org>, Garance A Drosihn <drosih@rpi.edu> Cc: freebsd-security@freebsd.org Subject: Re: [PATCH] Tighten /etc/crontab permissions Message-ID: <002401c47f10$d6f98ea0$6400a8c0@chivas> References: <20040810161305.GA161@frontfree.net> <20040810095953.H1984@qbhto.arg> <20040810181039.GA3189@frontfree.net> <p06110419bd3ec9e7d533@[128.113.24.47]>
next in thread | previous in thread | raw e-mail | index | archive | help
It is better to have something secure by default. If someone wants to open up the crontab in /etc/crontab for other users to see it, he/she can do it on his/her own risk. Many ppl that are not very familiar with system administration nor security, but yet manage a server could add cronjobs that could be very harmful to themselves and they don't know (eg. mysqldump for backups with the password hardcoded in the command). Maybe, the purpose of /etc/crontab is exactly to be a read-by-all file. That's fine, but in this case, a security warning with BIG letters should be printed in the very beginning of the file. my $0.02 ;) ----- Original Message ----- From: "Garance A Drosihn" <drosih@rpi.edu> To: "Xin LI" <delphij@frontfree.net>; "Doug Barton" <DougB@freebsd.org> Cc: <freebsd-security@freebsd.org> Sent: Tuesday, August 10, 2004 12:01 PM Subject: Re: [PATCH] Tighten /etc/crontab permissions > At 2:10 AM +0800 8/11/04, Xin LI wrote: > > > >On Tue, Aug 10, 2004 at 10:02:09AM -0700, Doug Barton wrote: > >> > > > Can you elaborate on your thinking? > > > >I'm not sure if this is a sort of abusing systemwide crontabs, but > >the administrators at my company have used them to run some tasks > >periodicly under other identities (to limit these tasks' privilege), > >and it provided a somewhat "centralized" management so they would > >prefer to use systemwide crontab rather than per-user ones. > > You could get about the same effect by having them all under root's > crontab, and then having the entry 'su' to the appropriate userid > before running. So it is centralized in one crontab (root's), but > it is protected from prying eyes. > > >What do you think about the benefit for users being able to see > >the system crontab? I think knowing what would be executed under > >others' identity is (at least) not always a good thing, especially > >the users we generally don't fully trust... > > For generic system tasks, it can be useful to know when they run. > Maybe this means more to me because I'm actually awake at all odd > hours of the morning, so I notice the effects of some of those > runs. My runs of 'cvsup_mirror', for instance. > > Basically, I use the system crontab for events where I think it > is safe for every user to know when the events occur, and use > other crontabs for the things I want to keep private. Just a > personal preference thing, obviously. > > -- > Garance Alistair Drosehn = gad@gilead.netel.rpi.edu > Senior Systems Programmer or gad@freebsd.org > Rensselaer Polytechnic Institute or drosih@rpi.edu > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?002401c47f10$d6f98ea0$6400a8c0>