Date: Wed, 11 Aug 2004 14:56:25 -0600 (CST) From: Ryan Thompson <ryan@sasknow.com> To: freebsd-security@freebsd.org Subject: Re: [PATCH] Tighten /etc/crontab permissions Message-ID: <20040811145610.K41454@drizzle.sasknow.net> In-Reply-To: <20040811111334.G44734@drizzle.sasknow.net> References: <20040810161305.GA161@frontfree.net> <20040811111334.G44734@drizzle.sasknow.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Xin, Personally, I'd be opposed to this idea, for a couple of reasons: 1. The impact is too narrow. There are many, many files in /etc/ (and elsewhere, for that matter) that are also currently set world- readable by default. Patching the perms of just one file creates inconsistency, and, without a more general policy on this sort of thing, we're likely to hear whining about "everything *else* is world-readable. What's so special about /etc/crontab?" 2. Even if there *is* some small security benefit to be gained through obscurity (see #3), it's probably outweighed by the convenience of the matter in this case, and that has some real security implications. We'd be asking admins to su everytime they want to look at /etc/crontab. For most of us, we consider our systems more secure the more we can do without a superuser shell. 3. You're not really gaining much by making /etc/crontab only readable by the superuser. It's currently trivial for regular users to view process information, and most cron jobs run on predictable boundaries (since per-minute timings are the most granular scheduling allowed). We don't want admins thinking, "nobody else can read this file, so anything I put in here must be top secret", because that's *not* the case. Just my CA$0.10. :-) - Ryan Xin LI wrote to freebsd-security@freebsd.org: > Hi folks, > > While investigating OpenBSD's cron implementation, I found that they set > the systemwide crontab (a.k.a. /etc/crontab) to be readable by the > superuser only. The attached patch will bring this to FreeBSD by moving > crontab out from BIN1 group and install it along with master.passwd. > > This change should not affect the current cron(1) behavior. > > Cheers, > -- > Xin LI <delphij frontfree net> http://www.delphij.net/ > See complete headers for GPG key and other information. > > -- Ryan Thompson <ryan@sasknow.com> SaskNow Technologies - http://www.sasknow.com 901-1st Avenue North - Saskatoon, SK - S7K 1Y4 Tel: 306-664-3600 Fax: 306-244-7037 Saskatoon Toll-Free: 877-727-5669 (877-SASKNOW) North America
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040811145610.K41454>