[BBLISA] crontab - corrected version
Steve Revilak
steve at srevilak.net
Wed Jan 23 22:35:03 EST 2008
> From: Scott Ehrlich
> Subject: [BBLISA] crontab - corrected version
> So I want to see if there is a way to restrict crontab from running an
> executable or anything else from a world-writable directory, or subdirectory
> thereof.
This is actually a pretty hard problem. Suppose you had a crontab
entry like this
# distributed crontab. There's always some oddball job that has to
# run on a single, specific machine
#
# Assume mail-if-not-empty is like /bin/mail, but sends no mail
# if there's no output
1 0 * * * operator hostname | grep -q "server1" && ( /path/to/some-job 2>&1 | mail-if-not-empty -s "`hostname` some-job error" sysadmin at example.com )
There are five different command executions (and that's not even
getting into what /path/to/some-job does). Maybe your crontab entries
are simpler than that, but in order to cover the bases completely, I
think you'd have to patch SHELL. At least a couple of OS's will just
take that whole line and pass it to "sh -c".
You could take another approach - a cron job that removes the 002 bit
from any directory that shouldn't have it :)
Steve
More information about the bblisa
mailing list