It is better to have something secure by default. If someone wants to open up the crontab in /etc/crontab for other users to see it, he/she can do it on his/her own risk. Many ppl that are not very familiar with system administration nor security, but yet manage a server could add cronjobs that could be very harmful to themselves and they don't know (eg. mysqldump for backups with the password hardcoded in the command). Maybe, the purpose of /etc/crontab is exactly to be a read-by-all file. That's fine, but in this case, a security warning with BIG letters should be printed in the very beginning of the file. my $0.02 ;) ----- Original Message ----- From: "Garance A Drosihn" <[email protected]> To: "Xin LI" <[email protected]>; "Doug Barton" <[email protected]> Cc: <[email protected]> Sent: Tuesday, August 10, 2004 12:01 PM Subject: Re: [PATCH] Tighten /etc/crontab permissions > At 2:10 AM +0800 8/11/04, Xin LI wrote: > > > >On Tue, Aug 10, 2004 at 10:02:09AM -0700, Doug Barton wrote: > >> > > > Can you elaborate on your thinking? > > > >I'm not sure if this is a sort of abusing systemwide crontabs, but > >the administrators at my company have used them to run some tasks > >periodicly under other identities (to limit these tasks' privilege), > >and it provided a somewhat "centralized" management so they would > >prefer to use systemwide crontab rather than per-user ones. > > You could get about the same effect by having them all under root's > crontab, and then having the entry 'su' to the appropriate userid > before running. So it is centralized in one crontab (root's), but > it is protected from prying eyes. > > >What do you think about the benefit for users being able to see > >the system crontab? I think knowing what would be executed under > >others' identity is (at least) not always a good thing, especially > >the users we generally don't fully trust... > > For generic system tasks, it can be useful to know when they run. > Maybe this means more to me because I'm actually awake at all odd > hours of the morning, so I notice the effects of some of those > runs. My runs of 'cvsup_mirror', for instance. > > Basically, I use the system crontab for events where I think it > is safe for every user to know when the events occur, and use > other crontabs for the things I want to keep private. Just a > personal preference thing, obviously. > > -- > Garance Alistair Drosehn = [email protected] > Senior Systems Programmer or [email protected] > Rensselaer Polytechnic Institute or [email protected] > _______________________________________________ > [email protected] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "[email protected]" > _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[email protected]"