On 21 Apr, Horst von Brand wrote:
+-----
| Linda Walsh <law@sgi.com> said:
| > Another problem is 'cron'. While 'at' can encode an luid in the job name how
| > do you tell what authorized user is running a 'cronjob'? One authorized
| > user could be executing an SUID program to another user and edit that user's
| > crontab. The only way I can come up with there is to dis-allow user-level
| > cronjobs on a secure system (using existing configuration options:
| > cron.allow/deny).
|
| You could record the LUID which last changed the crontab file offline, and
| make crond(8) run it under that one.
+--->8
My inclination would be to follow Linda's suggestion, just out of
general paranoia (the occupational hazard of security types...).
-- brandon s. allbery os/2,linux,solaris,perl allbery@kf8nh.apk.net system administrator kthkrb,heimdal,gnome,rt allbery@ece.cmu.edu carnegie mellon / electrical and computer engineering kf8nh We are Linux. Resistance is an indication that you missed the point.- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Fri Apr 21 2000 - 20:43:15 EDT