看板 FB_security 關於我們 聯絡資訊
發信人delphij@frontfree.net (Xin LI),
看板FB_security
標 題Re: [PATCH] Tighten /etc/crontab permissions
發信站NCTU CSIE FreeBSD Server (Thu Aug 12 12:06:26 2004)
轉信站ptt!FreeBSD.csie.NCTU!not-for-mail
--hYooF8G/hrfVAmum Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Aug 11, 2004 at 03:29:30PM +0200, Thomas Quinot wrote: > * Doug Barton, 2004-08-10 : >=20 > > Do you have a reason for wanting to do this other than, "OpenBSD does i= t=20 > > this way?" I personally see no problems, and some benefit for users=20 > > being able to see the system crontab. If the superuser needs to run=20 > > "secret" cron jobs, then there is root's crontab that can be used for= =20 > > this purpose. >=20 > Seconded. I would find it a nuisance to have to chmod a+r /etc/crontab > on all systems I set up. People who need tightened security against > hostile local users can use tools such as security/lockdown that will, > among many other things, remove world-read permissions from a bunch of > systemwide configuration files, including /etc/crontab. I think I would want to compromise at this point ;) In addition of this, personally I suggest the following changes to be made: - Provide an option in sysinstall so users will be instructed to choose whether to ``lockdown'' their systems as soon as the configuration is completed. Also, include this utility in the installation disc. - Add a new security audit script which will tell admins that the permission of "watched" configurations was altered. This might be turned off by default, or even a depency port of lockdown, to provide a mechanism to detect potential break-ins earlier, and to notice users when something like mergemaster or manual etc/ upgrades has reverted the permissions. What do you think about this? Actually the FreeBSD Simplified Chinese project is recently coordinating an effort of making an Internationalized FreeBSD Installer, I think we will try to implement these things if they looks better. Cheers, --=20 Xin LI <delphij frontfree net> http://www.delphij.net/ See complete headers for GPG key and other information. --hYooF8G/hrfVAmum Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (FreeBSD) iD8DBQFBGuykOfuToMruuMARAm5tAJ437PcJgS+ducDSxcUY3KyARjIZlQCfXe3f i9Xw2EJxrbJ2jJec37c6Mwc= =NNky -----END PGP SIGNATURE----- --hYooF8G/hrfVAmum--