Re: Cron Security

---

• From: Allen Kistler <ackistler@xxxxxxxxx>
• Date: Fri, 02 Feb 2007 19:23:34 GMT

---

blmblm@xxxxxxxxxxxxx wrote:

In article <5W4vh.66890$qO4.14995@xxxxxxxxxxxxxxxxxxxxxxxxxx>,
Allen Kistler <ackistler@xxxxxxxxx> wrote:

Jenny wrote:

We have a request from our Database Administrator where they wanted us
to grant them the access to submit cron job using the oracle ID. Just
wondering, is there any security issue if we allow oracle ID to be able
to submit cron job? Please advise.

The rule of thumb is to deny access to crond by everyone except root.
crond runs as root, so allowing others access provides an opportunity
for a local root compromise.

Can you say a little more about what kind of compromise you have in
mind here? Experiment (on an FC4 system) suggests that a cron job
submitted by a non-root user runs with that user's ID and can only
do things permitted to that user, which is how I'd think it would be.
So you must have in mind something more sophisticated -- ?

[snip]

cron runs as root, so anything that provides input to it can potentially
compromise root. cron "su"s to the user after (after, after, after...)
reading the user's crontab.
.

---

• Prev by Date: Re: I'm getting attacked
• Next by Date: Nessus - no plugins
• Previous by thread: Keylogger software
• Next by thread: Nessus - no plugins
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Dying processes (inetd, cron, syslogd, sshd) ... > rsync command that is used. ... if you used to have a command like this running on boxaa: ... Who's cron job calls the shots? ... uid = root ... (comp.unix.sco.misc) Re: Cron Security ... to grant them the access to submit cron job using the oracle ID. ... The rule of thumb is to deny access to crond by everyone except root. ... (comp.os.linux.security) Re: Cron Security ... to grant them the access to submit cron job using the oracle ID. ... The rule of thumb is to deny access to crond by everyone except root. ... So you must have in mind something more sophisticated --? ... (comp.os.linux.security) Re: Problems with mmdf / uucp and lock file ... We are having issues with our file systems every now and then and I ... stamps and the first message left(same time stamp as root.lock) in / ... root, the root.lock file is liable to be left behind. ... I know this could be solved with a simple cron job to do some extra ... (comp.unix.sco.misc) Re: Time Sync ... You could create a cron job in root and have it run daily. ... # crontab crontab.txt ... You can verify that it is set by typing... ... (Fedora)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > comp.os.linux.security  > 2007-02