[PATCH] Tighten /etc/crontab permissions

Ryan Thompson ryan at sasknow.com
Wed Aug 11 13:56:28 PDT 2004 

Hi Xin,

Personally, I'd be opposed to this idea, for a couple of reasons:

1. The impact is too narrow. There are many, many files in /etc/ (and
   elsewhere, for that matter) that are also currently set world-
   readable by default. Patching the perms of just one file creates
   inconsistency, and, without a more general policy on this sort of
   thing, we're likely to hear whining about "everything *else* is
   world-readable. What's so special about /etc/crontab?"

2. Even if there *is* some small security benefit to be gained through
   obscurity (see #3), it's probably outweighed by the convenience of
   the matter in this case, and that has some real security
   implications. We'd be asking admins to su everytime they want to look
   at /etc/crontab. For most of us, we consider our systems more secure
   the more we can do without a superuser shell.

3. You're not really gaining much by making /etc/crontab only readable
   by the superuser. It's currently trivial for regular users to view
   process information, and most cron jobs run on predictable boundaries
   (since per-minute timings are the most granular scheduling allowed).
   We don't want admins thinking, "nobody else can read this file, so
   anything I put in here must be top secret", because that's *not* the
   case.

Just my CA$0.10. :-)

- Ryan

Xin LI wrote to freebsd-security at freebsd.org:

> Hi folks,
> 
> While investigating OpenBSD's cron implementation, I found that they set
> the systemwide crontab (a.k.a. /etc/crontab) to be readable by the
> superuser only.  The attached patch will bring this to FreeBSD by moving
> crontab out from BIN1 group and install it along with master.passwd.
> 
> This change should not affect the current cron(1) behavior.
> 
> Cheers,
> --
> Xin LI <delphij frontfree net>	http://www.delphij.net/
> See complete headers for GPG key and other information.
> 
> 

-- 
  Ryan Thompson <ryan at sasknow.com>

  SaskNow Technologies - http://www.sasknow.com
  901-1st Avenue North - Saskatoon, SK - S7K 1Y4

        Tel: 306-664-3600   Fax: 306-244-7037   Saskatoon
  Toll-Free: 877-727-5669     (877-SASKNOW)     North America

More information about the freebsd-security mailing list