Hi folks,
While investigating OpenBSD's cron implementation, I found that they set
the systemwide crontab (a.k.a. /etc/crontab) to be readable by the
superuser only. The attached patch will bring this to FreeBSD by moving
crontab out from BIN1 group and install it along with master.passwd.
This change should not affect the current cron(1) behavior.
Cheers,
--
Xin LI <delphij frontfree net> http://www.delphij.net/
See complete headers for GPG key and other information.
-------------- next part --------------
Index: Makefile
==================================================================RCS file:
/home/fcvs/src/etc/Makefile,v
retrieving revision 1.327
diff -u -r1.327 Makefile
--- Makefile 23 Mar 2004 22:17:34 -0000 1.327
+++ Makefile 10 Aug 2004 06:03:59 -0000
@@ -6,7 +6,7 @@
.endif
BIN1= amd.map apmd.conf auth.conf \
- crontab csh.cshrc csh.login csh.logout devd.conf devfs.conf \
+ csh.cshrc csh.login csh.logout devd.conf devfs.conf \
dhclient.conf disktab fbtab ftpusers gettytab group \
hosts hosts.allow hosts.equiv hosts.lpd \
inetd.conf login.access login.conf \
@@ -73,7 +73,7 @@
${INSTALL} -o ${BINOWN} -g ${BINGRP} -m 755 \
${BIN2} ${DESTDIR}/etc; \
${INSTALL} -o ${BINOWN} -g ${BINGRP} -m 600 \
- master.passwd nsmb.conf opieaccess ${DESTDIR}/etc; \
+ crontab master.passwd nsmb.conf opieaccess ${DESTDIR}/etc; \
pwd_mkdb -p -d ${DESTDIR}/etc ${DESTDIR}/etc/master.passwd
cd ${.CURDIR}/bluetooth; ${MAKE} install
cd ${.CURDIR}/defaults; ${MAKE} install
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url :
http://lists.freebsd.org/pipermail/freebsd-security/attachments/20040811/3ce5de85/attachment.bin
On Wed, 11 Aug 2004, Xin LI wrote:> Hi folks, > > While investigating OpenBSD's cron implementation, I found that they set > the systemwide crontab (a.k.a. /etc/crontab) to be readable by the > superuser only. The attached patch will bring this to FreeBSD by moving > crontab out from BIN1 group and install it along with master.passwd.Do you have a reason for wanting to do this other than, "OpenBSD does it this way?" I personally see no problems, and some benefit for users being able to see the system crontab. If the superuser needs to run "secret" cron jobs, then there is root's crontab that can be used for this purpose. Can you elaborate on your thinking? Doug -- This .signature sanitized for your protection
Hi Xin, Personally, I'd be opposed to this idea, for a couple of reasons: 1. The impact is too narrow. There are many, many files in /etc/ (and elsewhere, for that matter) that are also currently set world- readable by default. Patching the perms of just one file creates inconsistency, and, without a more general policy on this sort of thing, we're likely to hear whining about "everything *else* is world-readable. What's so special about /etc/crontab?" 2. Even if there *is* some small security benefit to be gained through obscurity (see #3), it's probably outweighed by the convenience of the matter in this case, and that has some real security implications. We'd be asking admins to su everytime they want to look at /etc/crontab. For most of us, we consider our systems more secure the more we can do without a superuser shell. 3. You're not really gaining much by making /etc/crontab only readable by the superuser. It's currently trivial for regular users to view process information, and most cron jobs run on predictable boundaries (since per-minute timings are the most granular scheduling allowed). We don't want admins thinking, "nobody else can read this file, so anything I put in here must be top secret", because that's *not* the case. Just my CA$0.10. :-) - Ryan Xin LI wrote to freebsd-security@freebsd.org:> Hi folks, > > While investigating OpenBSD's cron implementation, I found that they set > the systemwide crontab (a.k.a. /etc/crontab) to be readable by the > superuser only. The attached patch will bring this to FreeBSD by moving > crontab out from BIN1 group and install it along with master.passwd. > > This change should not affect the current cron(1) behavior. > > Cheers, > -- > Xin LI <delphij frontfree net> http://www.delphij.net/ > See complete headers for GPG key and other information. > >-- Ryan Thompson <ryan@sasknow.com> SaskNow Technologies - http://www.sasknow.com 901-1st Avenue North - Saskatoon, SK - S7K 1Y4 Tel: 306-664-3600 Fax: 306-244-7037 Saskatoon Toll-Free: 877-727-5669 (877-SASKNOW) North America
On Wed, Aug 11, 2004 at 03:29:30PM +0200, Thomas Quinot wrote:> * Doug Barton, 2004-08-10 : > > > Do you have a reason for wanting to do this other than, "OpenBSD does it > > this way?" I personally see no problems, and some benefit for users > > being able to see the system crontab. If the superuser needs to run > > "secret" cron jobs, then there is root's crontab that can be used for > > this purpose. > > Seconded. I would find it a nuisance to have to chmod a+r /etc/crontab > on all systems I set up. People who need tightened security against > hostile local users can use tools such as security/lockdown that will, > among many other things, remove world-read permissions from a bunch of > systemwide configuration files, including /etc/crontab.I think I would want to compromise at this point ;) In addition of this, personally I suggest the following changes to be made: - Provide an option in sysinstall so users will be instructed to choose whether to ``lockdown'' their systems as soon as the configuration is completed. Also, include this utility in the installation disc. - Add a new security audit script which will tell admins that the permission of "watched" configurations was altered. This might be turned off by default, or even a depency port of lockdown, to provide a mechanism to detect potential break-ins earlier, and to notice users when something like mergemaster or manual etc/ upgrades has reverted the permissions. What do you think about this? Actually the FreeBSD Simplified Chinese project is recently coordinating an effort of making an Internationalized FreeBSD Installer, I think we will try to implement these things if they looks better. Cheers, -- Xin LI <delphij frontfree net> http://www.delphij.net/ See complete headers for GPG key and other information. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20040812/83e15a49/attachment.bin