Date: Wed, 17 Jan 2001 10:28:22 +0000 From: David Malone <dwmalone@maths.tcd.ie> To: mbac@mmap.nyct.net Cc: hackers@FreeBSD.org Subject: Re: Permissions on crontab.. Message-ID: <20010117102822.B25338@walton.maths.tcd.ie> In-Reply-To: <20010117001842.A28301@mmap.nyct.net>; from mbac@mmap.nyct.net on Wed, Jan 17, 2001 at 12:18:42AM -0500 References: <20010117001842.A28301@mmap.nyct.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Jan 17, 2001 at 12:18:42AM -0500, mbac@mmap.nyct.net wrote: > Why is crontab suid root? > > I say to myself "To update /var/cron/tabs/ and to signal cron". > > Could crontab run suid 'cron'? > > If those are the only two things it needs to do, run cron as > gid 'cron' and make /var/cron/tabs/ group writable by 'cron'. I'm not sure how much this would help. Being able to write arbitary crontabs is eqivelent to root access. Making a user or group who can write cron jobs is almost equivelent to adding a second root user. It would probably be better to spend the time looking at the crontab source code for risky bits of code. (I guess it provides some protection in the case where you are making the crontab user read files it shouldn't. If you can make it write files it shouldn't then you're getting into the root equivelent area). David. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010117102822.B25338>