also sprach Mark Ferlatte <email@example.com> [2004.11.07.1012 +0100]: > Okay. I guess my next question is: why do you want your user > crontabs NFS mounted from your clients? The cluster nodes are frequently reinstalled, so the crontabs need to be installed automatically. > This actually closes a security hole; if you are NFS mounting your > crons, then all I have to do is spoof your client's NFS mount (or > response) to get cron to run any command I want as any user on > that system. Hey, it's NFS. It's inherently insecure. Until I switch it all to IPsec, the cluster is open to everyone with physical access. > > One idea I had last night is a crontab wrapper, along with > > a root_squash NFS export. A cron job copies the files from there to > > /var/spool/cron/crontabs as you describe. But when the user calls > > crontab, what happens is that the file is first explicitly copied > > from the NFS mount, then crontab(1) is invoked, and upon exit, the > > user crontab is saved back to the NFS. I think this would work fine, > > don't you think? > > Sure, if you want to go that way, a wrapper around crontab is fine. that, in addition with an @reboot cron job to initialise /var/spool/cron/crontabs from the NFS mounted /var/local/crontabs did the trick. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <firstname.lastname@example.org> : :' : proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!
Description: Digital signature