[SOLVED] Permission on /etc/crontab should be 600 as per security .

Hello All ,

I'm perplexed with the way /etc/crontab should be 600 as per security. I need help /suggestion about is it really necessary to set 600 permission on the /etc/crontab where user individually has /var/spool/cron/<username>.
1./etc/crontab has 755 permissions set on the server.
2. User has their own crontab entries and cronjobs are located in /var/spool/cron/<username>.
3./etc/crontab is basically used for system wide crontab entries but since user has already their own cronjobs , does it really require to change the /etc/crontab permissions from 755 to 600 ?
4.Whether it is 755 or 600 , the ownership of the file is root:root and it is system wide cronjob(/etc/crontab) non-root user cannot modify the file (/etc/crontab) but somehow can be exploited with 'X' permission as per security.

Please advise , whether we can set the 600 permission on the /etc/crontab or we can continue with 755 permission.

I have analyzed that the /etc/crontab purposes as mentioned earlier but unable to determine any other impact on changing the permissions on this file.

Quote:

Originally Posted by ratan61 Hello All , I'm perplexed with the way /etc/crontab should be 600 as per security. I need help /suggestion about is it really necessary to set 600 permission on the /etc/crontab where user individually has /var/spool/cron/<username>. 1./etc/crontab has 755 permissions set on the server. 2. User has their own crontab entries and cronjobs are located in /var/spool/cron/<username>. 3./etc/crontab is basically used for system wide crontab entries but since user has already their own cronjobs , does it really require to change the /etc/crontab permissions from 755 to 600 ? 4.Whether it is 755 or 600 , the ownership of the file is root:root and it is system wide cronjob(/etc/crontab) non-root user cannot modify the file (/etc/crontab) but somehow can be exploited with 'X' permission as per security. Please advise , whether we can set the 600 permission on the /etc/crontab or we can continue with 755 permission. I have analyzed that the /etc/crontab purposes as mentioned earlier but unable to determine any other impact on changing the permissions on this file.

Not sure what you're 'perplexed' about, or why you're asking. What is "per security" in this context??? And you do know the difference between a regular user and the root user, right?? Have you given any thought as to why it's a bad idea to let anyone be able to see what jobs are running automatically as root???

And if you want to know whether or not you can set those permissions, why don't you actually TRY IT???

Infact , I have tried to set the permission 600 on the /etc/crontab and it is making no change.
Perplexed means confused or unable to decide whether we can go ahead and set the parameter.

A regular user(non-root user) cannot edit the files with 755 or 600 as well as mentioned earlier

security means security compliance CISO standards, let me paste you the link.

https://www.tenable.com/audits/items...0d3a0ba4f51583

ALSO , I need to understand is there any other way that /etc/crontab can be used as per your knowledge ?
and changing the permissions can impact them. To my knowledge, /etc/crontab is used for system wide cronjobs.
So checking internally here whether you can provide any insights that you are aware of.

that is explained on the link you sent. What kind of change did you expect?

755 means readable and exectuable by everone.
Executable makes no sense, so it should be 644 at least, readable for everyone.
The standard is 600, read-protected, makes sense in case it contains a cron job with a hardcoded password. Quite unlikely though.

I never bothered with /etc/crontab, but often changed /var/log/messages permissions from 600 to 644.
(I have never seen sensitive information like passwords being logged.)

Quote:

Originally Posted by MadeInGermany The standard is 600, read-protected, makes sense in case it contains a cron job with a hardcoded password.

That CISO 'standard' link has explanatory text as to the rationale for winding /etc/crontab back from 666, 664, or 660. That is, it makes a case for not having the one system-wide crontab writable by non-root accounts. However, the 'standard' doesn't really make a case for their proposed solution of 600 which would block read access. Nor does it explicitly mention the relevant files under /etc/cron.d/ at all, though it would be implied that in many cases could benefit from having the same permissions as /etc/crontab. And then the permissions for the /etc/cron.d/ directory are another matter, especially if certain groups have specific read permissions for some of the files. There can be reasons for that directory to be 700, 750, 755, 701, 751, or even 711.

So, I'd say either 644 or 640 or 600 would be fine for /etc/crontab.


tldr; CISO is making stuff up.

Quote:

Originally Posted by ratan61 I'm perplexed with the way /etc/crontab should be 600 as per security.

Standard access rights for /etc/crontab in debian is root:root 644, and it looks about right to me. Furthermore, there is no such thing as 'CISO standards', link you posted is by some dubious cybersecurity company.

Ok noted, What I have understood is changing the permissions to 600 for the /etc/crontab should be changed due to the reason 755 is allowing others also to be executed where they can potential threat. Thanks, you can close the thread.

Quote:

Originally Posted by ratan61 Infact , I have tried to set the permission 600 on the /etc/crontab and it is making no change. Perplexed means confused or unable to decide whether we can go ahead and set the parameter. A regular user(non-root user) cannot edit the files with 755 or 600 as well as mentioned earlier security means security compliance CISO standards, let me paste you the link. ALSO , I need to understand is there any other way that /etc/crontab can be used as per your knowledge ? and changing the permissions can impact them. To my knowledge, /etc/crontab is used for system wide cronjobs. So checking internally here whether you can provide any insights that you are aware of.

So why ask whether you could or not, as you did in your first post? And WHY were you perplexed, when the security issue was/is pretty plain. And a regular user can edit their OWN crontabs...not the system wide one, right?? There are lots of ways bad security can affect your system, and no one here has the time to type out the 10,000 different things that could go bad. As to whether your system is secure or not, what steps have you taken to make sure it is?? Seems like you don't understand the very basics of system security.

Quote:

Originally Posted by ratan61 Ok noted, What I have understood is changing the permissions to 600 for the /etc/crontab should be changed due to the reason 755 is allowing others also to be executed where they can potential threat. Thanks, you can close the thread.

Right, which is what you were told in the first reply. You should ask your systems administrator about things like this, since they should be easily able to tell you why such security holes are bad.