[PATCH] Tighten /etc/crontab permissions
Ryan Thompson
ryan at sasknow.com
Wed Aug 11 13:56:28 PDT 2004
Hi Xin,
Personally, I'd be opposed to this idea, for a couple of reasons:
1. The impact is too narrow. There are many, many files in /etc/ (and
elsewhere, for that matter) that are also currently set world-
readable by default. Patching the perms of just one file creates
inconsistency, and, without a more general policy on this sort of
thing, we're likely to hear whining about "everything *else* is
world-readable. What's so special about /etc/crontab?"
2. Even if there *is* some small security benefit to be gained through
obscurity (see #3), it's probably outweighed by the convenience of
the matter in this case, and that has some real security
implications. We'd be asking admins to su everytime they want to look
at /etc/crontab. For most of us, we consider our systems more secure
the more we can do without a superuser shell.
3. You're not really gaining much by making /etc/crontab only readable
by the superuser. It's currently trivial for regular users to view
process information, and most cron jobs run on predictable boundaries
(since per-minute timings are the most granular scheduling allowed).
We don't want admins thinking, "nobody else can read this file, so
anything I put in here must be top secret", because that's *not* the
case.
Just my CA$0.10. :-)
- Ryan
Xin LI wrote to freebsd-security at freebsd.org:
> Hi folks,
>
> While investigating OpenBSD's cron implementation, I found that they set
> the systemwide crontab (a.k.a. /etc/crontab) to be readable by the
> superuser only. The attached patch will bring this to FreeBSD by moving
> crontab out from BIN1 group and install it along with master.passwd.
>
> This change should not affect the current cron(1) behavior.
>
> Cheers,
> --
> Xin LI <delphij frontfree net> http://www.delphij.net/
> See complete headers for GPG key and other information.
>
>
--
Ryan Thompson <ryan at sasknow.com>
SaskNow Technologies - http://www.sasknow.com
901-1st Avenue North - Saskatoon, SK - S7K 1Y4
Tel: 306-664-3600 Fax: 306-244-7037 Saskatoon
Toll-Free: 877-727-5669 (877-SASKNOW) North America
More information about the freebsd-security
mailing list