[PATCH] Tighten /etc/crontab permissions
Xin LI
delphij at frontfree.net
Wed Aug 11 21:06:06 PDT 2004
On Wed, Aug 11, 2004 at 03:29:30PM +0200, Thomas Quinot wrote:
> * Doug Barton, 2004-08-10 :
>
> > Do you have a reason for wanting to do this other than, "OpenBSD does it
> > this way?" I personally see no problems, and some benefit for users
> > being able to see the system crontab. If the superuser needs to run
> > "secret" cron jobs, then there is root's crontab that can be used for
> > this purpose.
>
> Seconded. I would find it a nuisance to have to chmod a+r /etc/crontab
> on all systems I set up. People who need tightened security against
> hostile local users can use tools such as security/lockdown that will,
> among many other things, remove world-read permissions from a bunch of
> systemwide configuration files, including /etc/crontab.
I think I would want to compromise at this point ;) In addition of this,
personally I suggest the following changes to be made:
- Provide an option in sysinstall so users will be instructed
to choose whether to ``lockdown'' their systems as soon as
the configuration is completed. Also, include this utility
in the installation disc.
- Add a new security audit script which will tell admins that
the permission of "watched" configurations was altered.
This might be turned off by default, or even a depency port
of lockdown, to provide a mechanism to detect potential
break-ins earlier, and to notice users when something like
mergemaster or manual etc/ upgrades has reverted the
permissions.
What do you think about this? Actually the FreeBSD Simplified Chinese
project is recently coordinating an effort of making an Internationalized
FreeBSD Installer, I think we will try to implement these
things if they looks better.
Cheers,
--
Xin LI <delphij frontfree net> http://www.delphij.net/
See complete headers for GPG key and other information.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20040812/83e15a49/attachment.bin
More information about the freebsd-security
mailing list