dcron & crontab permission
by Thom1b from LinuxQuestions.org on (#6HW3T)
Hi,
It seems I want to change many things in dcron ;)
If too few people think it's useful, I'll forget my following suggestion.
I read this in the crontab manpage:
Quote:
I understand crontab command should be run by a trusted user only. This is not the case in Slackware, crontab can be run by any user.
Even the dcron github homepage says by default crontab permissions allow only root and users in wheel group to run it:
Quote:
If you think crontab should be run only by trusted users, I suggest this little patch in dcron SB:
Code:*** dcron.SlackBuild 2024-01-15 16:07:50.560059014 +0100
--- dcron.SlackBuild.new 2024-01-15 16:08:58.591341660 +0100
***************
*** 96,102 ****
BINDIR=/usr/bin \
SBINDIR=/usr/sbin \
MANDIR=/usr/man \
! CRONTAB_GROUP=root \
|| exit 1
# This works now, but predictability is a good thing...
--- 96,102 ----
BINDIR=/usr/bin \
SBINDIR=/usr/sbin \
MANDIR=/usr/man \
! CRONTAB_GROUP=wheel \
|| exit 1
# This works now, but predictability is a good thing...
***************
*** 110,116 ****
mkdir -p $PKG/usr/bin
cat crontab > $PKG/usr/bin/crontab
! chmod 4711 $PKG/usr/bin/crontab
# Add run-parts script and man page, largely taken from Fedora:
zcat $CWD/run-parts.gz > $PKG/usr/bin/run-parts
--- 110,117 ----
mkdir -p $PKG/usr/bin
cat crontab > $PKG/usr/bin/crontab
! chown root:wheel $PKG/usr/bin/crontab
! chmod 4710 $PKG/usr/bin/crontab
# Add run-parts script and man page, largely taken from Fedora:
zcat $CWD/run-parts.gz > $PKG/usr/bin/run-parts
It seems I want to change many things in dcron ;)
If too few people think it's useful, I'll forget my following suggestion.
I read this in the crontab manpage:
Quote:
| Only users who belong to the same group as the crontab binary will be able to install or edit crontabs. However itill be possible for the superuser to install crontabs even for users who donit have the privileges to install them themselves. (Even for users who donit have a login shell.) Only the superuser may use the u or c switches to specify a different user and/or crontab directory. |
Even the dcron github homepage says by default crontab permissions allow only root and users in wheel group to run it:
Quote:
| INSTALLING ---------- (4) `make install` installs the files underneath PREFIX (by default, /usr/local). If you're packaging, you can supply a DESTDIR argument here: make DESTDIR=/path/to/your/package/root install Permissions will be as follows: -rwx------ 0 root root 32232 Jan 6 18:58 /usr/local/sbin/crond -rwsr-x--- 0 root wheel 15288 Jan 6 18:58 /usr/local/bin/crontab Only users belonging to crontab's group (here "wheel") will be able to use it. You may want to create a special "cron" group and assign crontab to it: groupadd cron chgrp cron /usr/local/bin/crontab chmod 4750 /usr/local/bin/crontab (If the group already exists, you can specify it by supplying CRONTAB_GROUP to the `make` or `make install` commands.) |
Code:*** dcron.SlackBuild 2024-01-15 16:07:50.560059014 +0100
--- dcron.SlackBuild.new 2024-01-15 16:08:58.591341660 +0100
***************
*** 96,102 ****
BINDIR=/usr/bin \
SBINDIR=/usr/sbin \
MANDIR=/usr/man \
! CRONTAB_GROUP=root \
|| exit 1
# This works now, but predictability is a good thing...
--- 96,102 ----
BINDIR=/usr/bin \
SBINDIR=/usr/sbin \
MANDIR=/usr/man \
! CRONTAB_GROUP=wheel \
|| exit 1
# This works now, but predictability is a good thing...
***************
*** 110,116 ****
mkdir -p $PKG/usr/bin
cat crontab > $PKG/usr/bin/crontab
! chmod 4711 $PKG/usr/bin/crontab
# Add run-parts script and man page, largely taken from Fedora:
zcat $CWD/run-parts.gz > $PKG/usr/bin/run-parts
--- 110,117 ----
mkdir -p $PKG/usr/bin
cat crontab > $PKG/usr/bin/crontab
! chown root:wheel $PKG/usr/bin/crontab
! chmod 4710 $PKG/usr/bin/crontab
# Add run-parts script and man page, largely taken from Fedora:
zcat $CWD/run-parts.gz > $PKG/usr/bin/run-parts