Re: setgid crontab
On Mon, Aug 04, 2003 at 07:55:34PM -0700, Blars Blarson wrote:
> In article <20030803011923.GP24128@alcor.net> firstname.lastname@example.org writes:
> >On Sat, Aug 02, 2003 at 02:51:03PM -0500, Steve Greenland wrote:
> >Under this setup, when cron opens a crontab file, it should fstat() it and
> >check that it is owned by the uid under which its contents will be executed
> >before trusting it.
> It should not trust symbolic links either. Otherwise it instanly promotes
> everything that looks like a crontab into one.
The attack scenarios for this one are pretty unlikely, but a little paranoia
can't hurt here. I agree: