NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > FreeBSD Security> 2004-08

Re: [PATCH] Tighten /etc/crontab permissions

From: Xin LI (delphijfrontfree.net)
Date: Wed Aug 11 2004 - 23:05:56 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Aug 11, 2004 at 03:29:30PM +0200, Thomas Quinot wrote:
> * Doug Barton, 2004-08-10 :
>
> > Do you have a reason for wanting to do this other than, "OpenBSD does it
> > this way?" I personally see no problems, and some benefit for users
> > being able to see the system crontab. If the superuser needs to run
> > "secret" cron jobs, then there is root's crontab that can be used for
> > this purpose.
>
> Seconded. I would find it a nuisance to have to chmod a+r /etc/crontab
> on all systems I set up. People who need tightened security against
> hostile local users can use tools such as security/lockdown that will,
> among many other things, remove world-read permissions from a bunch of
> systemwide configuration files, including /etc/crontab.

I think I would want to compromise at this point ;) In addition of this,
personally I suggest the following changes to be made:

        - Provide an option in sysinstall so users will be instructed
          to choose whether to ``lockdown'' their systems as soon as
          the configuration is completed. Also, include this utility
          in the installation disc.
        - Add a new security audit script which will tell admins that
          the permission of "watched" configurations was altered.
          This might be turned off by default, or even a depency port
          of lockdown, to provide a mechanism to detect potential
          break-ins earlier, and to notice users when something like
          mergemaster or manual etc/ upgrades has reverted the
          permissions.

What do you think about this? Actually the FreeBSD Simplified Chinese
project is recently coordinating an effort of making an Internationalized
FreeBSD Installer, I think we will try to implement these
things if they looks better.

Cheers,
--
Xin LI <delphij frontfree net> http://www.delphij.net/
See complete headers for GPG key and other information.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (FreeBSD)

iD8DBQFBGuykOfuToMruuMARAm5tAJ437PcJgS+ducDSxcUY3KyARjIZlQCfXe3f
i9Xw2EJxrbJ2jJec37c6Mwc=
=NNky
-----END PGP SIGNATURE-----

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]