Hi,

   I am in the process of designing a program which performs a form of
task scheduling. Briefly, the system will execute tasks based on
system events (I'm thinking dial-up networking, here) rather than at a
given time (as cron does).

   However, I have come up with a problem about the best (most secure)
way of managing user permissions for this program. Basically, what
I'm after is something which behaves rather like crontab: There is a
"system" repository of tasks (like /etc/crontab), and "per-user" tasks
(like /var/spool/cron/<user>, or whatever).

   The "per-user" tasks are executed (under the users own identity)
when the scheduler is triggered. These tasks are placed in an
otherwise write-protected area by a suid program, in a similar manner
to crontab.

   This is fine, and (I think) I could do this without too much
difficulty. However, there is one additional twist: there are two
types of task -- transient and permanent. The transient tasks are
executed once (on the next trigger event) and then deleted; the
permanent tasks are executed at every trigger event. I think that
there should be a directory structure looking something like this:

/var/spool/taskscheduler/
                         permanent/
                                   user1/<files...>
                                   user2/<files...>
                                   ...
                         transient/
                                   user1/<files...>
                                   ...

   What I'd like is to have a nested set of permissions:

Set (A): Some subset of all users -- able to set transient events

Set (B): Some subset of (A) -- able to set permanent events

   I can see a couple of ways of achieving this:

1) Have two groups (say, tsperm and tstemp) which grant access to the
appropriate configuration directory (the dirs are root.ts(perm|temp)
drwxrwx--t). -- This allows the user to edit directly their
configuration files.

2) Have two groups granting access, and check users' membership of the
appropriate group before allowing them access to the spool dirs (which
are root.root drwx------). -- This requires a suid-root program.

3) Have two lists of users in a configuration file, allowing access to
the spool dirs (root.root drwx------ as above). -- This also requires
a suid-root program.

   I *think* that option 2 is the one to go for, but I'm not sure.

   So... my questions are:

   Which of the above options is the best in terms of secure design?
   Are there any other sensible options I've missed?
   What pitfalls should I try to avoid in implementing this design?

   I'd appreciate comments on this. Thanks,
   Hugo.

-- 
    ---- Hugo Mills --- The Creature from the Black Logon ----
hugolug.org.uk     hugocarfax.nildram.co.uk     hugosoton.ac.uk
     ---- "We did a risk management review. We concluded ----
            that there was no risk of any management."

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]