Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 12 Aug 2004 12:05:56 +0800
From:      Xin LI <delphij@frontfree.net>
To:        Thomas Quinot <thomas@FreeBSD.ORG>
Cc:        Doug Barton <DougB@FreeBSD.org>
Subject:   Re: [PATCH] Tighten /etc/crontab permissions
Message-ID:  <20040812040556.GC305@frontfree.net>
In-Reply-To: <20040811132930.GA3936@melusine.cuivre.fr.eu.org>
References:  <20040810161305.GA161@frontfree.net> <20040810095953.H1984@qbhto.arg> <20040811132930.GA3936@melusine.cuivre.fr.eu.org>

next in thread | previous in thread | raw e-mail | index | archive | help

--hYooF8G/hrfVAmum
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Aug 11, 2004 at 03:29:30PM +0200, Thomas Quinot wrote:
> * Doug Barton, 2004-08-10 :
>=20
> > Do you have a reason for wanting to do this other than, "OpenBSD does i=
t=20
> > this way?" I personally see no problems, and some benefit for users=20
> > being able to see the system crontab. If the superuser needs to run=20
> > "secret" cron jobs, then there is root's crontab that can be used for=
=20
> > this purpose.
>=20
> Seconded. I would find it a nuisance to have to chmod a+r /etc/crontab
> on all systems I set up. People who need tightened security against
> hostile local users can use tools such as security/lockdown that will,
> among many other things, remove world-read permissions from a bunch of
> systemwide configuration files, including /etc/crontab.

I think I would want to compromise at this point ;)  In addition of this,
personally I suggest the following changes to be made:

	- Provide an option in sysinstall so users will be instructed
	  to choose whether to ``lockdown'' their systems as soon as
	  the configuration is completed.  Also, include this utility
	  in the installation disc.
	- Add a new security audit script which will tell admins that
	  the permission of "watched" configurations was altered.
	  This might be turned off by default, or even a depency port
	  of lockdown, to provide a mechanism to detect potential
	  break-ins earlier, and to notice users when something like
	  mergemaster or manual etc/ upgrades has reverted the
	  permissions.

What do you think about this?  Actually the FreeBSD Simplified Chinese
project is recently coordinating an effort of making an Internationalized
FreeBSD Installer, I think we will try to implement these
things if they looks better.

Cheers,
--=20
Xin LI <delphij frontfree net>	http://www.delphij.net/
See complete headers for GPG key and other information.


--hYooF8G/hrfVAmum
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (FreeBSD)

iD8DBQFBGuykOfuToMruuMARAm5tAJ437PcJgS+ducDSxcUY3KyARjIZlQCfXe3f
i9Xw2EJxrbJ2jJec37c6Mwc=
=NNky
-----END PGP SIGNATURE-----

--hYooF8G/hrfVAmum--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040812040556.GC305>