I received some interesting answers to my cron question. Most people said it was not possible. One person reviewed cron's source code and said the source would need to be modified. One person said I should mount the filesystem with noexec. I'll review and test the answers as best I can. To answer several people's curiosities of why I keep pushing - when I'm tasked with a quest, I try to tap all my resources, including this list, to find a solution. One never knows when an answer might be obvious, or perplexing, as this question seems to have been. To some, an answer is obvious. To others, it is perplexing. It all depends on each person's level of knowledge. The more one learns, the more things can become more obvious. Thus, we grow. In the end, like now, I try to provide my findings, and, if valid, may be of benefit to others. I try not to wear out the list, but do what the list was created for - discussion and inquiry of UNIX and related topics. This question proved to test people's knowledge, and I did get some good feedback. Thanks to all, and until the next adventure... Scott
On Wed, Jan 23, 2008 at 10:12:13PM -0500, Scott Ehrlich wrote:> To answer several people's curiosities of why I keep pushing - when I'm > tasked with a quest, I try to tap all my resources, including this list, to > find a solution. One never knows when an answer might be obvious, or > perplexing, as this question seems to have been. To some, an answer isI've found, in the past, that questions like this are normally indicative of the wrong question being asked. People are trying to put controls in the wrong place, thinking this is the solution to an underlying problem. When this happens at work I ask people to take a step back and to describe the problem they're trying to solve. "No, you don't want cron to do xyz... explain what you think the problem is you're trying to solve in non technical terms". Very frequently there's alternate solutions to the problem. The "noexec" idea someone suggested was one such attempt. Historically this has been called "thinking outside the box", but I prefer to think of it as analysing the real problem, what are you trying to solve; not "can this technology do blah". -- rgds Stephen
On Wed, Jan 23, 2008 at 10:12:13PM -0500, Scott Ehrlich alleged:> I received some interesting answers to my cron question. Most people said > it was not possible. One person reviewed cron's source code and said the > source would need to be modified. One person said I should mount the > filesystem with noexec. I'll review and test the answers as best I can.In my own defense of not mentioning "modify the source", that is *always* an option. It is especially implied in the open source. It is one of the principle reasons for having open source in the first place! That said, I quite like the general idea of adding some type of policy enforcement to cron. It reminds me of httpd' suexec. It has several such restrictions on the binary it executes. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: <http://lists.centos.org/pipermail/centos/attachments/20080123/6f231712/attachment-0002.sig>
On Wed, 2008-01-23 at 20:15 -0800, Garrick Staples wrote:> On Wed, Jan 23, 2008 at 10:12:13PM -0500, Scott Ehrlich alleged: > > I received some interesting answers to my cron question. Most people said > > it was not possible. One person reviewed cron's source code and said the > > source would need to be modified. One person said I should mount the > > filesystem with noexec. I'll review and test the answers as best I can. > > In my own defense of not mentioning "modify the source", that is *always* an > option. It is especially implied in the open source. It is one of the > principle reasons for having open source in the first place! > > That said, I quite like the general idea of adding some type of policy > enforcement to cron. It reminds me of httpd' suexec. It has several such > restrictions on the binary it executes.In that case, I'll add my initial thought even though I'm ignorant, and therefore, blissful. Selinux? It seems to me this is right up its alley.> <snip sig stuff>HTH -- Bill
Scott Ehrlich wrote:> I try not to wear out the list, but do what the list was created for - > discussion and inquiry of UNIX and related topics.No, you are mistaken there - this is not a Generic UNIX and related topics list, this is a list directed at CENTOS and CentOS based issues. - KB -- Karanbir Singh : http://www.karan.org/ : 2522219 at icq