Re: setgid crontab
On Sun, 3 Aug 2003 05:51, Steve Greenland wrote:
> Apropos of the recent setuid/setgid thread, and also being prodded by
> Stephen Frost, I've changed crontab to be setgid 'cron' rather than
> setuid 'root'. Beyond the coding (which is mostly removing setuid()
> calls), this involves the following changes:
Sounds good to me. You are not the first person to do it however, I believe
that Solar Designer did the same thing for OpenWall (of course when Solar
Designer has the same security idea as you then it's a good sign you're doing
the right thing).
If we are going to remove SETUID/SETGID programs then we should look at what
Solar Designer is doing, particularly in TCB http://www.openwall.com/tcb/ .
> At first glance, the only access I've added with this is that a user can
> now view or edit (but not delete) her crontab file directly in the spool
> directory. Since one could all that with the crontab command anyway, it
> doesn't seem a big deal.
If a user is listed in /etc/cron.deny then "crontab -l" does not work for
them, so if you permit them to cat the file directly then you are changing
the functionality, which may not be desired.
It's easy enough to make the directory containing the files be mode 0775 to
solve this. I don't know why the directory is currently mode 0755, this
allows any user to see who has a crontab file, when it was last updated, and
how big it is. I don't think that this is desirable (my SE Linux policy
prevents such access).
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
Reply to: