Subject: Re: cron (was Re: BSD auth for NetBSD)
To: Steven M. Bellovin <email@example.com>
From: Andrew Brown <firstname.lastname@example.org>
Date: 09/14/2003 00:34:36
On Sat, Sep 13, 2003 at 10:28:19PM -0400, Steven M. Bellovin wrote:
>In message <Pine.LNX.email@example.com>, "
>Jeremy C. Reed" writes:
>>> -r-sr-xr-x 4 root wheel 23284 Sep 6 21:30 /usr/bin/at
>>> -r-sr-xr-x 4 root wheel 23284 Sep 6 21:30 /usr/bin/atq
>>> -r-sr-xr-x 4 root wheel 23284 Sep 6 21:30 /usr/bin/atrm
>>> -r-sr-xr-x 4 root wheel 23284 Sep 6 21:30 /usr/bin/batch
>>> -r-sr-xr-x 1 root wheel 24048 Sep 6 21:30 /usr/bin/crontab
>>These are easy fixes (and not related to any authentication as far as I
>>Has there been any discussion on getting rid of setuid root and just using
>>setgid of cron-specific group? (And making the cron tabs directory
>>writable by that group.)
>That's a distinction without a difference, since a subverted crontab
>could rewrite root's file, which would be executed as root by crond.
well...since he said "making the cron tabs directory writable by that
what about this (silly fake output that describes what i thinking):
% ls -la /var/cron/tabs
drwx-wx--- 2 root crontabs 512 Aug 12 23:42 .
drwxr-xr-x 3 root wheel 512 May 11 17:14 ..
-rw------- 1 andrew crontabs 357 Mar 19 08:32 andrew
-rw------- 1 root crontabs 934 Aug 12 23:42 root
% ls -l /usr/bin/crontab
-r-xr-sr-x 1 root crontabs 24592 Aug 11 12:43 /usr/bin/crontab*
so that users can only use crontab to put a crontab in place, cron
runs as root so that cron itself can get stuff from there (and so that
it can setuid), and if it finds a file, it ensures that the crontab
named "george" is owned by "george" (and root's is root, etc).
heck, you could even put a socket in there called "-cron" (since
usernames can't start with a - anyway) that, when connected to, would
cause cron to rescan the crontabs directory. the crontab binary
would, of course, merely cd to that directory and then toss the
crontabs group privs.
just making stuff up late at night here...
|-----< "CODE WARRIOR" >-----|
firstname.lastname@example.org * "ah! i see you have the internet
email@example.com (Andrew Brown) that goes *ping*!"
firstname.lastname@example.org * "information is power -- share the wealth."