Date: Wed, 3 Jul 2002 16:53:19 +0200 From: Stephanie Wehner <_@r4k.net> To: Peter Pentchev <roam@ringlet.net> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Any security issues with root's cron job? Message-ID: <20020703145319.GB14710@r4k.net> In-Reply-To: <20020703085219.GC384@straylight.oblivion.bg> References: <F196dVHga3btg7dw7p70000552e@hotmail.com> <20020703085219.GC384@straylight.oblivion.bg>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Peter, > > I want to set up a crob job to run a script (Perl or shell). The script > > will be read/write/exec by root only (i.e. 700 or -rwx------). It will run > > /sbin/ipfw periodically to change rules according to need. > > > > Can anyone think of any potential security risks to such practice? Any > > suggestions and comments are greatly appreciated. Thank you! > > I can see no problem with that as far as you described it; any potential > problems would crawl out of the 'according to need' part. You'd better > be damn sure that no one but specially-authorized-sysadmin-processes can > indicate 'need'. > > Other than that, no, there is no problem with root cron jobs per se, as > long as you are careful :) hmja, however in this case I'd also be interested in how this system obtains its timing information. eg if the ipfw rules are set by a cronjob and the machine is remotely updated from an ntp server for example, anyone controlling the ntp server could in effect toggle your firewall rules. I guess this is also somewhat contained in this 'according to need' part. bye, Stephanie --<> _@r4k.net <>------------------<> FreeBSD <>------------------- #3 - Anime Law of Sonic Amplification, First Law of Anime Acoustics In space, loud sounds, like explosions, are even louder because there is no air to get in the way. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020703145319.GB14710>