From owner-freebsd-security Wed Jul 3 7:53:30 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A29A937B400 for ; Wed, 3 Jul 2002 07:53:27 -0700 (PDT) Received: from r4k.net (r4k.net [212.26.197.210]) by mx1.FreeBSD.org (Postfix) with ESMTP id 15FC843E09 for ; Wed, 3 Jul 2002 07:53:27 -0700 (PDT) (envelope-from _@shell.r4k.net) Received: from shell.r4k.net (localhost [127.0.0.1]) by r4k.net (Postfix) with ESMTP id C573223031; Wed, 3 Jul 2002 16:53:25 +0200 (CEST) Received: (from _@localhost) by shell.r4k.net (8.12.4/8.12.2/Submit) id g63ErJ5s036592; Wed, 3 Jul 2002 16:53:19 +0200 (CEST) Date: Wed, 3 Jul 2002 16:53:19 +0200 From: Stephanie Wehner <_@r4k.net> To: Peter Pentchev Cc: freebsd-security@FreeBSD.ORG Subject: Re: Any security issues with root's cron job? Message-ID: <20020703145319.GB14710@r4k.net> References: <20020703085219.GC384@straylight.oblivion.bg> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020703085219.GC384@straylight.oblivion.bg> User-Agent: Mutt/1.3.25i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi Peter, > > I want to set up a crob job to run a script (Perl or shell). The script > > will be read/write/exec by root only (i.e. 700 or -rwx------). It will run > > /sbin/ipfw periodically to change rules according to need. > > > > Can anyone think of any potential security risks to such practice? Any > > suggestions and comments are greatly appreciated. Thank you! > > I can see no problem with that as far as you described it; any potential > problems would crawl out of the 'according to need' part. You'd better > be damn sure that no one but specially-authorized-sysadmin-processes can > indicate 'need'. > > Other than that, no, there is no problem with root cron jobs per se, as > long as you are careful :) hmja, however in this case I'd also be interested in how this system obtains its timing information. eg if the ipfw rules are set by a cronjob and the machine is remotely updated from an ntp server for example, anyone controlling the ntp server could in effect toggle your firewall rules. I guess this is also somewhat contained in this 'according to need' part. bye, Stephanie --<> _@r4k.net <>------------------<> FreeBSD <>------------------- #3 - Anime Law of Sonic Amplification, First Law of Anime Acoustics In space, loud sounds, like explosions, are even louder because there is no air to get in the way. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message