[SOLVED] Permission on /etc/crontab should be 600 as per security .
Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Permission on /etc/crontab should be 600 as per security .
Hello All ,
I'm perplexed with the way /etc/crontab should be 600 as per security. I need help /suggestion about is it really necessary to set 600 permission on the /etc/crontab where user individually has /var/spool/cron/<username>.
1./etc/crontab has 755 permissions set on the server.
2. User has their own crontab entries and cronjobs are located in /var/spool/cron/<username>.
3./etc/crontab is basically used for system wide crontab entries but since user has already their own cronjobs , does it really require to change the /etc/crontab permissions from 755 to 600 ?
4.Whether it is 755 or 600 , the ownership of the file is root:root and it is system wide cronjob(/etc/crontab) non-root user cannot modify the file (/etc/crontab) but somehow can be exploited with 'X' permission as per security.
Please advise , whether we can set the 600 permission on the /etc/crontab or we can continue with 755 permission.
I have analyzed that the /etc/crontab purposes as mentioned earlier but unable to determine any other impact on changing the permissions on this file.
Hello All ,
I'm perplexed with the way /etc/crontab should be 600 as per security. I need help /suggestion about is it really necessary to set 600 permission on the /etc/crontab where user individually has /var/spool/cron/<username>.
1./etc/crontab has 755 permissions set on the server.
2. User has their own crontab entries and cronjobs are located in /var/spool/cron/<username>.
3./etc/crontab is basically used for system wide crontab entries but since user has already their own cronjobs , does it really require to change the /etc/crontab permissions from 755 to 600 ?
4.Whether it is 755 or 600 , the ownership of the file is root:root and it is system wide cronjob(/etc/crontab) non-root user cannot modify the file (/etc/crontab) but somehow can be exploited with 'X' permission as per security.
Please advise , whether we can set the 600 permission on the /etc/crontab or we can continue with 755 permission. I have analyzed that the /etc/crontab purposes as mentioned earlier but unable to determine any other impact on changing the permissions on this file.
Not sure what you're 'perplexed' about, or why you're asking. What is "per security" in this context??? And you do know the difference between a regular user and the root user, right?? Have you given any thought as to why it's a bad idea to let anyone be able to see what jobs are running automatically as root???
And if you want to know whether or not you can set those permissions, why don't you actually TRY IT???
Infact , I have tried to set the permission 600 on the /etc/crontab and it is making no change.
Perplexed means confused or unable to decide whether we can go ahead and set the parameter.
A regular user(non-root user) cannot edit the files with 755 or 600 as well as mentioned earlier
security means security compliance CISO standards, let me paste you the link.
ALSO , I need to understand is there any other way that /etc/crontab can be used as per your knowledge ?
and changing the permissions can impact them. To my knowledge, /etc/crontab is used for system wide cronjobs.
So checking internally here whether you can provide any insights that you are aware of.
755 means readable and exectuable by everone.
Executable makes no sense, so it should be 644 at least, readable for everyone.
The standard is 600, read-protected, makes sense in case it contains a cron job with a hardcoded password. Quite unlikely though.
I never bothered with /etc/crontab, but often changed /var/log/messages permissions from 600 to 644.
(I have never seen sensitive information like passwords being logged.)
The standard is 600, read-protected, makes sense in case it contains a cron job with a hardcoded password.
That CISO 'standard' link has explanatory text as to the rationale for winding /etc/crontab back from 666, 664, or 660. That is, it makes a case for not having the one system-wide crontab writable by non-root accounts. However, the 'standard' doesn't really make a case for their proposed solution of 600 which would block read access. Nor does it explicitly mention the relevant files under /etc/cron.d/ at all, though it would be implied that in many cases could benefit from having the same permissions as /etc/crontab. And then the permissions for the /etc/cron.d/ directory are another matter, especially if certain groups have specific read permissions for some of the files. There can be reasons for that directory to be 700, 750, 755, 701, 751, or even 711.
So, I'd say either 644 or 640 or 600 would be fine for /etc/crontab.
tldr; CISO is making stuff up.
Last edited by Turbocapitalist; 04-22-2024 at 12:35 PM.
Reason: remove fstab mistake
I'm perplexed with the way /etc/crontab should be 600 as per security.
Standard access rights for /etc/crontab in debian is root:root 644, and it looks about right to me. Furthermore, there is no such thing as 'CISO standards', link you posted is by some dubious cybersecurity company.
Ok noted, What I have understood is changing the permissions to 600 for the /etc/crontab should be changed due to the reason 755 is allowing others also to be executed where they can potential threat. Thanks, you can close the thread.
Infact , I have tried to set the permission 600 on the /etc/crontab and it is making no change. Perplexed means confused or unable to decide whether we can go ahead and set the parameter.
A regular user(non-root user) cannot edit the files with 755 or 600 as well as mentioned earlier security means security compliance CISO standards, let me paste you the link.
ALSO , I need to understand is there any other way that /etc/crontab can be used as per your knowledge ? and changing the permissions can impact them. To my knowledge, /etc/crontab is used for system wide cronjobs. So checking internally here whether you can provide any insights that you are aware of.
So why ask whether you could or not, as you did in your first post? And WHY were you perplexed, when the security issue was/is pretty plain. And a regular user can edit their OWN crontabs...not the system wide one, right?? There are lots of ways bad security can affect your system, and no one here has the time to type out the 10,000 different things that could go bad. As to whether your system is secure or not, what steps have you taken to make sure it is?? Seems like you don't understand the very basics of system security.
Quote:
Originally Posted by ratan61
Ok noted, What I have understood is changing the permissions to 600 for the /etc/crontab should be changed due to the reason 755 is allowing others also to be executed where they can potential threat. Thanks, you can close the thread.
Right, which is what you were told in the first reply. You should ask your systems administrator about things like this, since they should be easily able to tell you why such security holes are bad.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.