-
Notifications
You must be signed in to change notification settings - Fork 78
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enhancement suggestion: additional security #90
Comments
Hmm, what is the difference here from any other execution of scripts or binaries by root? I do not think crond should be special in this regard. I do not think I am going to add such feature. |
Difference is that crond is unattended. If I'm running a script as root at the command line there is a presumption I know what I am running (though clearly there are attack vectors there too, such as users putting a hacked binary with the same name as a system command like ls into their own directory hoping root will run it - one of the reasons why root should not have ./ in its path). I can take a cron script being run by root and writeable by a non privileged user and create a privilege escalation attack vector from that and no one will be the wiser since it's all happening unattended. |
The only check from the above that might be acceptable is refusing to exec world-writeable stuff. All the other cases might be legitimate use-cases. And no, I do not see as "all happening unattended" making any real difference. |
I'd like to suggest an additional security feature.
Cron refuses to execute commands/scripts where any of the following apply:
If any apply, cron outputs an error message instead of the command / script output
The main idea is to avoid execution by root of files editable by non privileged users, but is applicable in general to any user.
While not 100% foolproof (it does not stop inclusion of other files in scripts) it provides a first level of protection for an issue which may not be apparent to users setting up a cron job that has to be executed by root
The feature could be deliberately overridden by a command line parameter.
The text was updated successfully, but these errors were encountered: