Re: [PATCH] Tighten /etc/crontab permissions

From: Ryan Thompson (ryan_at_sasknow.com)
Date: 08/11/04

Next message: Ryan Thompson: "FreeBSD-SA-04:13.linux in the wild"

Previous message: c0ldbyte: "Re: freebsd-security Digest, Vol 72, Issue 2"
Maybe in reply to: Xin LI: "[PATCH] Tighten /etc/crontab permissions"
Next in thread: Xin LI: "Re: [PATCH] Tighten /etc/crontab permissions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 11 Aug 2004 14:56:25 -0600 (CST)
To: freebsd-security@freebsd.org

Hi Xin,

Personally, I'd be opposed to this idea, for a couple of reasons:

1. The impact is too narrow. There are many, many files in /etc/ (and
   elsewhere, for that matter) that are also currently set world-
   readable by default. Patching the perms of just one file creates
   inconsistency, and, without a more general policy on this sort of
   thing, we're likely to hear whining about "everything *else* is
   world-readable. What's so special about /etc/crontab?"

2. Even if there *is* some small security benefit to be gained through
   obscurity (see #3), it's probably outweighed by the convenience of
   the matter in this case, and that has some real security
   implications. We'd be asking admins to su everytime they want to look
   at /etc/crontab. For most of us, we consider our systems more secure
   the more we can do without a superuser shell.

3. You're not really gaining much by making /etc/crontab only readable
   by the superuser. It's currently trivial for regular users to view
   process information, and most cron jobs run on predictable boundaries
   (since per-minute timings are the most granular scheduling allowed).
   We don't want admins thinking, "nobody else can read this file, so
   anything I put in here must be top secret", because that's *not* the
   case.

Just my CA$0.10. :-)

- Ryan

Xin LI wrote to freebsd-security@freebsd.org:

> Hi folks,
>
> While investigating OpenBSD's cron implementation, I found that they set
> the systemwide crontab (a.k.a. /etc/crontab) to be readable by the
> superuser only. The attached patch will bring this to FreeBSD by moving
> crontab out from BIN1 group and install it along with master.passwd.
>
> This change should not affect the current cron(1) behavior.
>
> Cheers,
> --
> Xin LI <delphij frontfree net> http://www.delphij.net/
> See complete headers for GPG key and other information.
>
>

-- 
  Ryan Thompson <ryan@sasknow.com>
  SaskNow Technologies - http://www.sasknow.com
  901-1st Avenue North - Saskatoon, SK - S7K 1Y4
        Tel: 306-664-3600   Fax: 306-244-7037   Saskatoon
  Toll-Free: 877-727-5669     (877-SASKNOW)     North America
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

Next message: Ryan Thompson: "FreeBSD-SA-04:13.linux in the wild"

Previous message: c0ldbyte: "Re: freebsd-security Digest, Vol 72, Issue 2"
Maybe in reply to: Xin LI: "[PATCH] Tighten /etc/crontab permissions"
Next in thread: Xin LI: "Re: [PATCH] Tighten /etc/crontab permissions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]