SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
It seems I want to change many things in dcron
If too few people think it's useful, I'll forget my following suggestion.
I read this in the crontab manpage:
Quote:
Only users who belong to the same group as the crontab binary will be able to install or edit crontabs. However it’ll be possible for the superuser to install crontabs even for users who don’t have the privileges to install them themselves. (Even for users who don’t have a login shell.) Only the superuser may use the ‐u or ‐c switches to specify a different user and/or crontab directory.
I understand crontab command should be run by a trusted user only. This is not the case in Slackware, crontab can be run by any user.
Even the dcron github homepage says by default crontab permissions allow only root and users in wheel group to run it:
Quote:
INSTALLING
----------
(4) `make install` installs the files underneath PREFIX (by default, /usr/local).
If you're packaging, you can supply a DESTDIR argument here:
make DESTDIR=/path/to/your/package/root install
Permissions will be as follows:
-rwx------ 0 root root 32232 Jan 6 18:58 /usr/local/sbin/crond
-rwsr-x--- 0 root wheel 15288 Jan 6 18:58 /usr/local/bin/crontab
Only users belonging to crontab's group (here "wheel") will be able to use it.
You may want to create a special "cron" group and assign crontab to it:
Why? There is nothing privileged to run cron jobs. The cron jobs run using the user's own uid.
As I said, it's just a suggestion we can forget quickly, I don't think it's a security issue.
Manpage says crontab command should be run only by trusted users (and is the vanilla behaviour) but this is not the case so manpage is wrong, that's why I suggest this change. But we can change manpage to be true with current behaviour.
run-parts can be run by any user, so if crontab must be run only by root or wheel users, anyone can still add/modify its own jobs in its own cron directory without special permission.
I agree with those who think that it is useful (and sometimes safer) to run cron jobs as a normal user.
Yes, the crontab binary is setuid root, and any security hole in that binary might give a privilege escalation, but still, the usefullness of being able to run cron jobs as a normal user should be weighted against placing more or less secure cron jobs in privileged accounts.
The reason that the crontab binary is setuid root is that /var/spool/cron is only accessible by privileged users and below that directorie lives all users crontabs.
I prefer the way it is now. Your change means crontab users should be added to group 'users'. There are other conventions, for example in my work Slackware and other work accounts, my primary group is different, and I am not in group 'users'. If a special group for allowing crontab is wanted, maybe a supplementary group of 'crontab' would be used, instead of overloading 'wheel' or 'users' for that.
Even when my user has it's own primary group, I still put it in 'users', but yes, it's all preference. The problem with the current scheme is that 'nobody' could run /usr/bin/crontab which while not terrible, is not ideal.
If a special group for allowing crontab is wanted, maybe a supplementary group of 'crontab' would be used, instead of overloading 'wheel' or 'users' for that.
There remains the question why crontab should be allowed only for some.
1) One reason could be that it is suid root and that's why it could be a security risk. But there are lots of other suid root binaries. 'find / -xdev -perm -4000 -user root -ls' lists 40 of them here and /usr/bin/fdmount and /usr/libexec/dbus-daemon-launch-helper are the only ones executable by a special group and not by everyone. For example /usr/libexec/Xorg is a large program, suid root and executable by anyone.
2) Or maybe crontab should be restricted so that wrong people couldn't run processes while not logged in. But then there is 'at' and 'screen' and so on.
'at' has /etc/at.allow and /etc/at.deny to control who can use it. dcron simply uses execute permissions of the suid /usr/bin/crontab to control who gets to use it, so there's a different control mechanism at play here. You're right though, there are many ways to get up to mischief, but that doesn't mean one shouldn't pick the low hanging fruit.
The way I look at it 'cron' is a facility for 'normal' users and non-user logonids should not be able to modify their own crontab files (it doesn't mean they can't have them, just that root will have to maintain them), but that's a matter of philosophy/opinion and YMMV. I'm a firm believer in the principle of least privilege.
Whether control is granted via a dedicated group or not I guess depends on how fine grained you want to control its access. For me, the 'users' group seemed like a sensible choice given my outlook, stated above, and had the advantage of not requiring a new group to be added.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.