Steve Greenland wrote: > Apropos of the recent setuid/setgid thread, and also being prodded by > Stephen Frost, I've changed crontab to be setgid 'cron' rather than > setuid 'root'. Beyond the coding (which is mostly removing setuid() > calls), this involves the following changes: > > add system group 'cron' > > change /var/spool/cron/crontabs from 755 root.root to 775 root.cron > > change crontab files in the spool directory from 600 root.root to 600 > userid.cron > > At first glance, the only access I've added with this is that a user can > now view or edit (but not delete) her crontab file directly in the spool > directory. Since one could all that with the crontab command anyway, it > doesn't seem a big deal. > > Comments, suggestions?
One possible gotcha is that if crontab(1) does any sanity checks of the crontab files, cron could expect them to be pre-sanitised, and might behave badly if an unsanitised file is put into place by a user. (As a user, what I really want is a .crontab file in my home directory, so I can put it under revision control.) -- see shy jo
pgpYBd5QDWDKw.pgp
Description: PGP signature
