[PATCH] Tighten /etc/crontab permissions

Xin LI delphij at frontfree.net
Wed Aug 11 21:06:06 PDT 2004 

On Wed, Aug 11, 2004 at 03:29:30PM +0200, Thomas Quinot wrote:
> * Doug Barton, 2004-08-10 :
> 
> > Do you have a reason for wanting to do this other than, "OpenBSD does it 
> > this way?" I personally see no problems, and some benefit for users 
> > being able to see the system crontab. If the superuser needs to run 
> > "secret" cron jobs, then there is root's crontab that can be used for 
> > this purpose.
> 
> Seconded. I would find it a nuisance to have to chmod a+r /etc/crontab
> on all systems I set up. People who need tightened security against
> hostile local users can use tools such as security/lockdown that will,
> among many other things, remove world-read permissions from a bunch of
> systemwide configuration files, including /etc/crontab.

I think I would want to compromise at this point ;)  In addition of this,
personally I suggest the following changes to be made:

	- Provide an option in sysinstall so users will be instructed
	  to choose whether to ``lockdown'' their systems as soon as
	  the configuration is completed.  Also, include this utility
	  in the installation disc.
	- Add a new security audit script which will tell admins that
	  the permission of "watched" configurations was altered.
	  This might be turned off by default, or even a depency port
	  of lockdown, to provide a mechanism to detect potential
	  break-ins earlier, and to notice users when something like
	  mergemaster or manual etc/ upgrades has reverted the
	  permissions.

What do you think about this?  Actually the FreeBSD Simplified Chinese
project is recently coordinating an effort of making an Internationalized
FreeBSD Installer, I think we will try to implement these
things if they looks better.

Cheers,
-- 
Xin LI <delphij frontfree net>	http://www.delphij.net/
See complete headers for GPG key and other information.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20040812/83e15a49/attachment.bin

More information about the freebsd-security mailing list