[BBLISA] limiting cron's capability?
Theo Van Dinter
felicity at kluge.net
Wed Jan 23 16:08:19 EST 2008
FWIW, a common thing with cron is to have a script which validates that only
one copy of the job is running at a given time. ie:
*/10 * * * * /path/to/validation_script.sh /path/to/real_job
Such that if "real_job" takes 25 minutes, at :00 real_job is run, at :10 and
:20 validation_script.sh just exits, and at :30 real_job is run again.
It's a trivial change to validate that /path/to/real_job is something
"approved", such as no world-writable directories in /path/to, and erroring
out if something not approved is found.
But yes, I also wonder what you're trying to do here. Just being paranoid ala
sendmail's checks?
On Wed, Jan 23, 2008 at 03:01:33PM -0500, John Stoffel wrote:
> Scott> Is it possible to prevent cron from executing something in a
> Scott> world-readable directory, or a directory branching off a
> Scott> world-readable directory?
>
> Umm... not that I know of. How would you expect cron to know this?
> All it has is a list of times and commands to run. Now this list is
> stored in a directory/file which should be locked down pretty well.
>
> So why don't we backup and try to figure out what you're *really*
> asking for here? It's obviously something security related, but what?
--
Randomly Selected Tagline:
"For a while, all that stood between America and annihilation was a man with
a drinking problem." - Some program on the Learning Channel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://www.bblisa.org/pipermail/bblisa/attachments/20080123/80ef0421/attachment.pgp
More information about the bblisa
mailing list