On Wed, 2010-03-17 at 11:54 +0100, Javier Fernandez-Sanguino wrote:
> I do not agree here, if you do not trust your users then they should
> not have shell access to your system (which is the only way they can
> setup crontabs).
Good point, especially as any user can make his own cron...


>  If users are already able to execute a shell in the
> system and they have malicious intentions there is no different
> whether you allow them to use the crontab or not, disabling them the
> use of the at/crontab does not prevent them from running scheduled
> jobs: setting up a time bomb with a simple python/perl script is
> really easy to do.
Yeah...

However, those processes can be easier spottet (running with user uid,
which cron does not)... and one could think of security frameworks, that
kill long running user-processes after some time..

But ok,.. I agree that this is not reason enough to change the well
known default...



A "solution" could be to add a debconf question at high level, where the
user is asked whether only root should be allowed or not (or perhaps
even which users are allowed...)...
And the default could be simply everyone as right now.


Cheers,
Chris.

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply via email to