On Sun, 3 Aug 2003 05:51, Steve Greenland wrote: > Apropos of the recent setuid/setgid thread, and also being prodded by > Stephen Frost, I've changed crontab to be setgid 'cron' rather than > setuid 'root'. Beyond the coding (which is mostly removing setuid() > calls), this involves the following changes:
Sounds good to me. You are not the first person to do it however, I believe that Solar Designer did the same thing for OpenWall (of course when Solar Designer has the same security idea as you then it's a good sign you're doing the right thing). If we are going to remove SETUID/SETGID programs then we should look at what Solar Designer is doing, particularly in TCB http://www.openwall.com/tcb/ . > At first glance, the only access I've added with this is that a user can > now view or edit (but not delete) her crontab file directly in the spool > directory. Since one could all that with the crontab command anyway, it > doesn't seem a big deal. If a user is listed in /etc/cron.deny then "crontab -l" does not work for them, so if you permit them to cat the file directly then you are changing the functionality, which may not be desired. It's easy enough to make the directory containing the files be mode 0775 to solve this. I don't know why the directory is currently mode 0755, this allows any user to see who has a crontab file, when it was last updated, and how big it is. I don't think that this is desirable (my SE Linux policy prevents such access). -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
