10 messages in org.freebsd.freebsd-security[PATCH] Tighten /etc/crontab permissions| From | Sent On | Attachments |
|---|---|---|
| Xin LI | Aug 10, 2004 9:43 am | |
| Doug Barton | Aug 10, 2004 10:03 am | |
| Xin LI | Aug 10, 2004 11:17 am | |
| Garance A Drosihn | Aug 10, 2004 12:13 pm | |
| Gustavo A. Baratto | Aug 10, 2004 12:52 pm | |
| Jason Stone | Aug 10, 2004 1:29 pm | |
| Andrew McNaughton | Aug 10, 2004 1:38 pm | |
| Ryan Thompson | Aug 11, 2004 1:56 pm | |
| Xin LI | Aug 11, 2004 9:05 pm | |
| Doug Barton | Aug 11, 2004 9:56 pm |
| Subject: | [PATCH] Tighten /etc/crontab permissions | |
|---|---|---|
| From: | Garance A Drosihn (dro...@rpi.edu) | |
| Date: | Aug 10, 2004 12:13:41 pm | |
| List: | org.freebsd.freebsd-security | |
At 2:10 AM +0800 8/11/04, Xin LI wrote:
On Tue, Aug 10, 2004 at 10:02:09AM -0700, Doug Barton wrote:
Can you elaborate on your thinking?
I'm not sure if this is a sort of abusing systemwide crontabs, but the administrators at my company have used them to run some tasks periodicly under other identities (to limit these tasks' privilege), and it provided a somewhat "centralized" management so they would prefer to use systemwide crontab rather than per-user ones.
You could get about the same effect by having them all under root's crontab, and then having the entry 'su' to the appropriate userid before running. So it is centralized in one crontab (root's), but it is protected from prying eyes.
What do you think about the benefit for users being able to see the system crontab? I think knowing what would be executed under others' identity is (at least) not always a good thing, especially the users we generally don't fully trust...
For generic system tasks, it can be useful to know when they run. Maybe this means more to me because I'm actually awake at all odd hours of the morning, so I notice the effects of some of those runs. My runs of 'cvsup_mirror', for instance.
Basically, I use the system crontab for events where I think it is safe for every user to know when the events occur, and use other crontabs for the things I want to keep private. Just a personal preference thing, obviously.