[PATCH] Tighten /etc/crontab permissions

Gustavo A. Baratto gbaratto at superb.net
Tue Aug 10 12:40:28 PDT 2004 

It is better to have something secure by default. If someone wants to open
up the crontab in /etc/crontab for other users to see it, he/she can do it
on his/her own risk.
Many ppl that are not very familiar with system administration nor security,
but yet manage a server could add cronjobs that could be very harmful to
themselves and they don't know (eg. mysqldump for backups with the password
hardcoded in the command).

Maybe, the purpose of /etc/crontab is exactly to be a read-by-all file.
That's fine, but in this case, a security warning with BIG letters should be
printed in the very beginning of the file.

my $0.02 ;)


----- Original Message ----- 
From: "Garance A Drosihn" <drosih at rpi.edu>
To: "Xin LI" <delphij at frontfree.net>; "Doug Barton" <DougB at freebsd.org>
Cc: <freebsd-security at freebsd.org>
Sent: Tuesday, August 10, 2004 12:01 PM
Subject: Re: [PATCH] Tighten /etc/crontab permissions


> At 2:10 AM +0800 8/11/04, Xin LI wrote:
> >
> >On Tue, Aug 10, 2004 at 10:02:09AM -0700, Doug Barton wrote:
> >>
> >  > Can you elaborate on your thinking?
> >
> >I'm not sure if this is a sort of abusing systemwide crontabs, but
> >the administrators at my company have used them to run some tasks
> >periodicly under other identities (to limit these tasks' privilege),
> >and it provided a somewhat "centralized" management so they would
> >prefer to use systemwide crontab rather than per-user ones.
>
> You could get about the same effect by having them all under root's
> crontab, and then having the entry 'su' to the appropriate userid
> before running.  So it is centralized in one crontab (root's), but
> it is protected from prying eyes.
>
> >What do you think about the benefit for users being able to see
> >the system crontab?  I think knowing what would be executed under
> >others' identity is (at least) not always a good thing, especially
> >the users we generally don't fully trust...
>
> For generic system tasks, it can be useful to know when they run.
> Maybe this means more to me because I'm actually awake at all odd
> hours of the morning, so I notice the effects of some of those
> runs.  My runs of 'cvsup_mirror', for instance.
>
> Basically, I use the system crontab for events where I think it
> is safe for every user to know when the events occur, and use
> other crontabs for the things I want to keep private.  Just a
> personal preference thing, obviously.
>
> -- 
> Garance Alistair Drosehn            =   gad at gilead.netel.rpi.edu
> Senior Systems Programmer           or  gad at freebsd.org
> Rensselaer Polytechnic Institute    or  drosih at rpi.edu
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to
"freebsd-security-unsubscribe at freebsd.org"
>

More information about the freebsd-security mailing list