[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: crontab and editors (was Re: Editor Priorities)

> 	How on earth are you going to prevent that? crontab /some/file
>  already allows one to replace my own crontab with something else. Or

Err, the point is that it only do that with files *you can read*.  The
attack in question is where a user does something like "crontab
/etc/shadow" which crontab itself succeeds in reading even though you
can't... or more trickily by replacing the user-edit copy of the file
with a symlink... or replacing the directory with a different one (or
a link elsewhere), etc.  A variety of integrity issues that have
nothing to do with what's in the file, only how it gets found...

However, the non-writable-directory approach should (as someone else
mentioned here) Do The Desired Thing even with copy-and-move
(ie. "correct enough to actually use") editors.

To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: