[Bug 185531] Review Request: fcron, a task scheduler
bugzilla at redhat.com
bugzilla at redhat.com
Sat Mar 18 12:01:46 UTC 2006
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
Summary: Review Request: fcron, a task scheduler
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=185531
------- Additional Comments From pertusus at free.fr 2006-03-18 07:01 EST -------
(In reply to comment #11)
> answers to comment #10:
>
> * fcrondyn should be suid fcron and not root.
I don't think so. I think that it shouldn't be setuid, and files in /etc/fcron.*
be owned by root and 0644. And it shouldn't be fcrondyn that checks the
/etc/fcron.{allow,deny}. If I'm not wrong, fcron does check, but I think that
fcrondyn shouldn't check at all. Not a big deal.
> * fcronsighup has to be suid root: the idea of this very small program is to
> be suid root so as it can send a signal to fcron daemon, while being very
> small to ensure maximum security.
Correct me if I'm wrong, but this program is used by fcrontab to signal fcron
that it should reread the configuration, right? In that case I don't see why any
user could be allowed to send a SIGHUP to fcron, only the fcron user.
More generaly shouldn't it be better to set up a unix socket setup by fcron to
communicate with the fcron user, in a directory and with permissions such that
only that user may send something in that socket? Having a setuid root binary
uniquely to be able for the fcron user to signal to fcron that the config has
changed seems to me an uneeded security risk?
I say that because you are the maintainer, and it is more like a request for
enhancement ;-). Especially since it is allready something much more
complicated, but similar with what I ask, that is used by fcrondyn. For the
fedora package, I guess we'll have to go with the setuid root, but maybe we
could arrange things such that only the fcron user may run the program.
> * concerning the rights about fcron: I think the question should rather be:
> why would we add more rights to fcron binary than it needs ? The less rights,
> the more secure!
Not necessarilly. Any user should be able to read the binary, for example to do
md5sum or whatever. It opens a security risk if a user has to become root just
to do a md5sum on the binary. concerning the execute bits, they are harmless
anyway as the real control is on the ressources that are used as root. I am not
familiar enough with fcron to understand if it has to be run as root (for
example if it access files that are root-owned) but I can't see why a user
shouldn't be able to run it instead of root, especially to try to understand a
issue.
--
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.
More information about the fedora-extras-list
mailing list