From owner-freebsd-security Wed Jul 3 1:53:57 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 94B1F37B400 for ; Wed, 3 Jul 2002 01:53:52 -0700 (PDT) Received: from south.nanolink.com (south.nanolink.com [217.75.134.10]) by mx1.FreeBSD.org (Postfix) with SMTP id 1122143E52 for ; Wed, 3 Jul 2002 01:53:50 -0700 (PDT) (envelope-from roam@ringlet.net) Received: (qmail 5356 invoked by uid 85); 3 Jul 2002 09:06:08 -0000 Received: from unknown (HELO straylight.ringlet.net) (212.116.140.125) by south.nanolink.com with SMTP; 3 Jul 2002 09:06:05 -0000 Received: (qmail 21742 invoked by uid 1000); 3 Jul 2002 08:52:19 -0000 Date: Wed, 3 Jul 2002 11:52:19 +0300 From: Peter Pentchev To: Kim Okasawa Cc: freebsd-security@FreeBSD.ORG Subject: Re: Any security issues with root's cron job? Message-ID: <20020703085219.GC384@straylight.oblivion.bg> Mail-Followup-To: Kim Okasawa , freebsd-security@FreeBSD.ORG References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="WYTEVAkct0FjGQmd" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.1i X-Virus-Scanned: by Nik's Monitoring Daemon (AMaViS perl-11d ) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --WYTEVAkct0FjGQmd Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Jul 03, 2002 at 09:59:15AM +0900, Kim Okasawa wrote: >=20 > Dear all, >=20 > I want to set up a crob job to run a script (Perl or shell). The script= =20 > will be read/write/exec by root only (i.e. 700 or -rwx------). It will r= un=20 > /sbin/ipfw periodically to change rules according to need. >=20 > Can anyone think of any potential security risks to such practice? Any= =20 > suggestions and comments are greatly appreciated. Thank you! I can see no problem with that as far as you described it; any potential problems would crawl out of the 'according to need' part. You'd better be damn sure that no one but specially-authorized-sysadmin-processes can indicate 'need'. Other than that, no, there is no problem with root cron jobs per se, as long as you are careful :) G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 This sentence no verb. --WYTEVAkct0FjGQmd Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9IrtD7Ri2jRYZRVMRAscIAKDEP+67h/qtHSYkTfgq1uZKrjXBvwCgiYey P7Khp20hbpWY2FVO1ppjPX4= =zeFj -----END PGP SIGNATURE----- --WYTEVAkct0FjGQmd-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message