[PATCH] Tighten /etc/crontab permissions
Garance A Drosihn
drosih at rpi.edu
Tue Aug 10 12:01:34 PDT 2004
At 2:10 AM +0800 8/11/04, Xin LI wrote:
>
>On Tue, Aug 10, 2004 at 10:02:09AM -0700, Doug Barton wrote:
>>
> > Can you elaborate on your thinking?
>
>I'm not sure if this is a sort of abusing systemwide crontabs, but
>the administrators at my company have used them to run some tasks
>periodicly under other identities (to limit these tasks' privilege),
>and it provided a somewhat "centralized" management so they would
>prefer to use systemwide crontab rather than per-user ones.
You could get about the same effect by having them all under root's
crontab, and then having the entry 'su' to the appropriate userid
before running. So it is centralized in one crontab (root's), but
it is protected from prying eyes.
>What do you think about the benefit for users being able to see
>the system crontab? I think knowing what would be executed under
>others' identity is (at least) not always a good thing, especially
>the users we generally don't fully trust...
For generic system tasks, it can be useful to know when they run.
Maybe this means more to me because I'm actually awake at all odd
hours of the morning, so I notice the effects of some of those
runs. My runs of 'cvsup_mirror', for instance.
Basically, I use the system crontab for events where I think it
is safe for every user to know when the events occur, and use
other crontabs for the things I want to keep private. Just a
personal preference thing, obviously.
--
Garance Alistair Drosehn = gad at gilead.netel.rpi.edu
Senior Systems Programmer or gad at freebsd.org
Rensselaer Polytechnic Institute or drosih at rpi.edu
More information about the freebsd-security
mailing list