[redhat-lspp] [RFC] [PATCH] extending cron subsys

Janak Desai janak at us.ibm.com
Tue Nov 8 17:06:54 UTC 2005 

These patches (fc4 and fc5 versions) extend the cron subsystem
to allow a user to submit cron jobs from different security contexts,
and have the cron daemon execute them in the context from which they
were submitted.


Currently, a user's crontab file is stored in the /var/spool/cron
directory as the user's name. With this patch a user can execute
crontab with a new option '-c' to append the current security
context to the crontab file name. The cron daemon, as part of
processing cron jobs, will attempt to set the security context
of the job to the context appended to the user name (if -c was
used with crontab). If the crontab file does not contain a
security context in its name (crontab without -c), the cron daemon
will continue to operate as it does now (use get_default_context_*
to obtain cron job's security context) for that perticular job.
Similarly, admins can append security contexts to files in
{hourly,daily,monthly} directories if they would like those jobs
to execute with a certain security contexts.

So far, I haven't made any changes to cron "allow/deny" logic.
Which means an admin will have to explicity provide security
context in addition to user name to allow/deny cron capability.
Does it make more sense to keep allow/deny logic granular to just
a user or to a user+context? That is, if users are allowed/denied
to submit cron jobs, they can/can't do that from any contexts
to which they have access.

I haven't made changes to man pages, but will do so once I get
feedback on the patch itself.

-Janak




-------------- next part --------------
A non-text attachment was scrubbed...
Name: vixie-cron-4.1-fc4.patch
Type: text/x-patch
Size: 8676 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/redhat-lspp/attachments/20051108/08332454/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: vixie-cron-4.1-fc5.patch
Type: text/x-patch
Size: 8477 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/redhat-lspp/attachments/20051108/08332454/attachment-0001.bin>

More information about the redhat-lspp mailing list