Apropos of the recent setuid/setgid thread, and also being prodded by
Stephen Frost, I've changed crontab to be setgid 'cron' rather than
setuid 'root'. Beyond the coding (which is mostly removing setuid()
calls), this involves the following changes:
add system group 'cron'
change /var/spool/cron/crontabs from 755 root.root to 775 root.cron
change crontab files in the spool directory from 600 root.root to 600
At first glance, the only access I've added with this is that a user can
now view or edit (but not delete) her crontab file directly in the spool
directory. Since one could all that with the crontab command anyway, it
doesn't seem a big deal.
The irony is that Bill Gates claims to be making a stable operating
system and Linus Torvalds claims to be trying to take over the
world. -- seen on the net