Re: setgid crontab
On Sat, Aug 02, 2003 at 02:51:03PM -0500, Steve Greenland wrote:
> Apropos of the recent setuid/setgid thread, and also being prodded by
> Stephen Frost, I've changed crontab to be setgid 'cron' rather than
> setuid 'root'. Beyond the coding (which is mostly removing setuid()
> calls), this involves the following changes:
>
> add system group 'cron'
>
> change /var/spool/cron/crontabs from 755 root.root to 775 root.cron
>
> change crontab files in the spool directory from 600 root.root to 600
> userid.cron
>
> At first glance, the only access I've added with this is that a user can
> now view or edit (but not delete) her crontab file directly in the spool
> directory. Since one could all that with the crontab command anyway, it
> doesn't seem a big deal.
>
> Comments, suggestions?
If you were here, I would hug you, and if we ever do meet in person, I owe
you a beer.
I think a few more changes are necessary, though. With the crontabs
directory mode 775, a user who gains access to the 'cron' group could create
a crontab file for root and thereby gain root privileges easily.
Under this setup, when cron opens a crontab file, it should fstat() it and
check that it is owned by the uid under which its contents will be executed
before trusting it.
I can't think of any problems with the user being able to read their own
crontab file, but there could be unexpected consequences in allowing them to
write to it without going through crontab. It should be verified that cron
is performing the same validation checks on the contents that would be done
by crontab before accepting the new crontab file.
I will think about this some more. Interestingly enough, a quick search
reveals that OpenBSD and SCO use a setgid cron setup, rather than setuid
root. It may be worthwhile to check out OpenBSD's source code and see what
changes were made to support this configuration.
--
- mdz
Reply to: