[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: NFS-mounting crontabs

also sprach Mark Ferlatte <ferlatte@cryptio.net> [2004.11.07.1012 +0100]:
> Okay.  I guess my next question is: why do you want your user
> crontabs NFS mounted from your clients?

The cluster nodes are frequently reinstalled, so the crontabs need
to be installed automatically.

> This actually closes a security hole; if you are NFS mounting your
> crons, then all I have to do is spoof your client's NFS mount (or
> response) to get cron to run any command I want as any user on
> that system.

Hey, it's NFS. It's inherently insecure. Until I switch it all to
IPsec, the cluster is open to everyone with physical access.

> > One idea I had last night is a crontab wrapper, along with
> > a root_squash NFS export. A cron job copies the files from there to
> > /var/spool/cron/crontabs as you describe. But when the user calls
> > crontab, what happens is that the file is first explicitly copied
> > from the NFS mount, then crontab(1) is invoked, and upon exit, the
> > user crontab is saved back to the NFS. I think this would work fine,
> > don't you think?
> Sure, if you want to go that way, a wrapper around crontab is fine.

that, in addition with an @reboot cron job to initialise
/var/spool/cron/crontabs from the NFS mounted /var/local/crontabs
did the trick.

Please do not send copies of list mail to me; I read the list!
 .''`.     martin f. krafft <madduck@debian.org>
: :'  :    proud Debian developer, admin, user, and author
`. `'`
  `-  Debian - when you have better things to do than fixing a system
Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!

Attachment: signature.asc
Description: Digital signature

Reply to: