On Mon, Aug 04, 2003 at 07:55:34PM -0700, Blars Blarson wrote: > In article <[EMAIL PROTECTED]> [EMAIL PROTECTED] writes: > >On Sat, Aug 02, 2003 at 02:51:03PM -0500, Steve Greenland wrote: > >Under this setup, when cron opens a crontab file, it should fstat() it and > >check that it is owned by the uid under which its contents will be executed > >before trusting it. > > It should not trust symbolic links either. Otherwise it instanly promotes > everything that looks like a crontab into one.
The attack scenarios for this one are pretty unlikely, but a little paranoia can't hurt here. I agree: http://lists.debian.org/debian-devel/2003/debian-devel-200308/msg00191.html -- - mdz
