Date: Thu, 12 Aug 2004 12:05:56 +0800 From: Xin LI <delphij@frontfree.net> To: Thomas Quinot <thomas@FreeBSD.ORG> Cc: Doug Barton <DougB@FreeBSD.org> Subject: Re: [PATCH] Tighten /etc/crontab permissions Message-ID: <20040812040556.GC305@frontfree.net> In-Reply-To: <20040811132930.GA3936@melusine.cuivre.fr.eu.org> References: <20040810161305.GA161@frontfree.net> <20040810095953.H1984@qbhto.arg> <20040811132930.GA3936@melusine.cuivre.fr.eu.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--hYooF8G/hrfVAmum Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Aug 11, 2004 at 03:29:30PM +0200, Thomas Quinot wrote: > * Doug Barton, 2004-08-10 : >=20 > > Do you have a reason for wanting to do this other than, "OpenBSD does i= t=20 > > this way?" I personally see no problems, and some benefit for users=20 > > being able to see the system crontab. If the superuser needs to run=20 > > "secret" cron jobs, then there is root's crontab that can be used for= =20 > > this purpose. >=20 > Seconded. I would find it a nuisance to have to chmod a+r /etc/crontab > on all systems I set up. People who need tightened security against > hostile local users can use tools such as security/lockdown that will, > among many other things, remove world-read permissions from a bunch of > systemwide configuration files, including /etc/crontab. I think I would want to compromise at this point ;) In addition of this, personally I suggest the following changes to be made: - Provide an option in sysinstall so users will be instructed to choose whether to ``lockdown'' their systems as soon as the configuration is completed. Also, include this utility in the installation disc. - Add a new security audit script which will tell admins that the permission of "watched" configurations was altered. This might be turned off by default, or even a depency port of lockdown, to provide a mechanism to detect potential break-ins earlier, and to notice users when something like mergemaster or manual etc/ upgrades has reverted the permissions. What do you think about this? Actually the FreeBSD Simplified Chinese project is recently coordinating an effort of making an Internationalized FreeBSD Installer, I think we will try to implement these things if they looks better. Cheers, --=20 Xin LI <delphij frontfree net> http://www.delphij.net/ See complete headers for GPG key and other information. --hYooF8G/hrfVAmum Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (FreeBSD) iD8DBQFBGuykOfuToMruuMARAm5tAJ437PcJgS+ducDSxcUY3KyARjIZlQCfXe3f i9Xw2EJxrbJ2jJec37c6Mwc= =NNky -----END PGP SIGNATURE----- --hYooF8G/hrfVAmum--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040812040556.GC305>