[SunHELP] Crontab Ownership

sunhelp at sunhelp.org sunhelp at sunhelp.org
Tue Jan 2 11:09:17 CST 2001


Couple of things come to mind...

The crontab binary is suid root, so for editing purposes the crontabs
should all be mode 400, owned by root and then the primary group of the
user the crontab corresponds to.

The cron daemon does the running of the job itself, so from a security
standpoint, the ownerships of the tab file are important but not the most
critical portion of the cron subsystem.  Besides, I would think that
anything that ran as suid <user here>, i.e. sys or bin would be a
potential means to otherwise corrupt or modify the crontabs for those
users if they were mode 400 or 600(at least).

I need more coffee...

===============================
Ed Mitchell (ed<-at->the7thbeer.com)
Finger for PGP public key
===============================
This boxen's uptime stats....
  9:05am  up 87 day(s), 23:48,  1 user,  load average: 0.04, 0.10, 0.07


On Tue, 2 Jan 2001, John Kennedy wrote:

> Hello all,
> I know this is a bit of a simple question but I'm can't seem to think
> straight lately...
> We are currently using Enterprise Security Manager by Axent (It
> sucks...Don't buy it!!! [Contact me off list if you want details...]).  The
> person who is training me on it has very little UNIX knowledge and believes
> that whatever errors ESM gives MUST be fixed to ESM's satisfaction.  One of
> the error's ESM has come up with is that users adm and sys crontab files are
> owned by the respective users and not owned by root.  I can't put a finger
> on it but this seems like it would cause problems when adm and sys try to
> run their crontabs.  Am I correct in thinking this??? If so, why is it
> wrong???
> Thanks for the help,
> John
> 
> 
> 
> 
> 
> _______________________________________________________
> Send a cool gift with your E-Card
> http://www.bluemountain.com/giftcenter/
> 
> 
> _______________________________________________
> SunHELP maillist  -  SunHELP at sunhelp.org
> http://www.sunhelp.org/mailman/listinfo/sunhelp
> 




More information about the SunHELP mailing list