Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 11 Aug 2004 14:56:25 -0600 (CST)
From:      Ryan Thompson <ryan@sasknow.com>
To:        freebsd-security@freebsd.org
Subject:   Re: [PATCH] Tighten /etc/crontab permissions
Message-ID:  <20040811145610.K41454@drizzle.sasknow.net>
In-Reply-To: <20040811111334.G44734@drizzle.sasknow.net>
References:  <20040810161305.GA161@frontfree.net> <20040811111334.G44734@drizzle.sasknow.net>

next in thread | previous in thread | raw e-mail | index | archive | help

Hi Xin,

Personally, I'd be opposed to this idea, for a couple of reasons:

1. The impact is too narrow. There are many, many files in /etc/ (and
   elsewhere, for that matter) that are also currently set world-
   readable by default. Patching the perms of just one file creates
   inconsistency, and, without a more general policy on this sort of
   thing, we're likely to hear whining about "everything *else* is
   world-readable. What's so special about /etc/crontab?"

2. Even if there *is* some small security benefit to be gained through
   obscurity (see #3), it's probably outweighed by the convenience of
   the matter in this case, and that has some real security
   implications. We'd be asking admins to su everytime they want to look
   at /etc/crontab. For most of us, we consider our systems more secure
   the more we can do without a superuser shell.

3. You're not really gaining much by making /etc/crontab only readable
   by the superuser. It's currently trivial for regular users to view
   process information, and most cron jobs run on predictable boundaries
   (since per-minute timings are the most granular scheduling allowed).
   We don't want admins thinking, "nobody else can read this file, so
   anything I put in here must be top secret", because that's *not* the
   case.

Just my CA$0.10. :-)

- Ryan

Xin LI wrote to freebsd-security@freebsd.org:

> Hi folks,
> 
> While investigating OpenBSD's cron implementation, I found that they set
> the systemwide crontab (a.k.a. /etc/crontab) to be readable by the
> superuser only.  The attached patch will bring this to FreeBSD by moving
> crontab out from BIN1 group and install it along with master.passwd.
> 
> This change should not affect the current cron(1) behavior.
> 
> Cheers,
> --
> Xin LI <delphij frontfree net>	http://www.delphij.net/
> See complete headers for GPG key and other information.
> 
> 

-- 
  Ryan Thompson <ryan@sasknow.com>

  SaskNow Technologies - http://www.sasknow.com
  901-1st Avenue North - Saskatoon, SK - S7K 1Y4

        Tel: 306-664-3600   Fax: 306-244-7037   Saskatoon
  Toll-Free: 877-727-5669     (877-SASKNOW)     North America



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040811145610.K41454>