Re: [PATCH] Tighten /etc/crontab permissions

From: Xin LI (delphij_at_frontfree.net)
Date: 08/12/04

Next message: Doug Barton: "Re: [PATCH] Tighten /etc/crontab permissions"

Previous message: Ryan Thompson: "Re: FreeBSD-SA-04:13.linux in the wild"
Maybe in reply to: Xin LI: "[PATCH] Tighten /etc/crontab permissions"
Next in thread: Doug Barton: "Re: [PATCH] Tighten /etc/crontab permissions"
Reply: Doug Barton: "Re: [PATCH] Tighten /etc/crontab permissions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 12 Aug 2004 12:05:56 +0800
To: Thomas Quinot <thomas@FreeBSD.ORG>

On Wed, Aug 11, 2004 at 03:29:30PM +0200, Thomas Quinot wrote:
> * Doug Barton, 2004-08-10 :
>
> > Do you have a reason for wanting to do this other than, "OpenBSD does it
> > this way?" I personally see no problems, and some benefit for users
> > being able to see the system crontab. If the superuser needs to run
> > "secret" cron jobs, then there is root's crontab that can be used for
> > this purpose.
>
> Seconded. I would find it a nuisance to have to chmod a+r /etc/crontab
> on all systems I set up. People who need tightened security against
> hostile local users can use tools such as security/lockdown that will,
> among many other things, remove world-read permissions from a bunch of
> systemwide configuration files, including /etc/crontab.

I think I would want to compromise at this point ;) In addition of this,
personally I suggest the following changes to be made:

        - Provide an option in sysinstall so users will be instructed
          to choose whether to ``lockdown'' their systems as soon as
          the configuration is completed. Also, include this utility
          in the installation disc.
        - Add a new security audit script which will tell admins that
          the permission of "watched" configurations was altered.
          This might be turned off by default, or even a depency port
          of lockdown, to provide a mechanism to detect potential
          break-ins earlier, and to notice users when something like
          mergemaster or manual etc/ upgrades has reverted the
          permissions.

What do you think about this? Actually the FreeBSD Simplified Chinese
project is recently coordinating an effort of making an Internationalized
FreeBSD Installer, I think we will try to implement these
things if they looks better.

Cheers,

-- 
Xin LI <delphij frontfree net>	http://www.delphij.net/
See complete headers for GPG key and other information.

application/pgp-signature attachment: stored

Next message: Doug Barton: "Re: [PATCH] Tighten /etc/crontab permissions"

Previous message: Ryan Thompson: "Re: FreeBSD-SA-04:13.linux in the wild"
Maybe in reply to: Xin LI: "[PATCH] Tighten /etc/crontab permissions"
Next in thread: Doug Barton: "Re: [PATCH] Tighten /etc/crontab permissions"
Reply: Doug Barton: "Re: [PATCH] Tighten /etc/crontab permissions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]