[BBLISA] Re: SELinux
Daniel Hagerty
hag at linnaean.org
Thu Jan 24 20:43:43 EST 2008
Scott Ehrlich <scott at MIT.EDU> writes:
> Considering the balance of changing crontab's source code vs noexec,
> noexec seems the more reasonable approach of the two. Not the best
> solution, but weighing the two options, possibly the most practical at
> this point.
Except I've reached the point where I have little faith it will
help with your unspecified problem.
noexec will hose you if an otherwise legitimate job is on that
filesystem, because it won't exec. On the flip side, noexec does
nothing to prevent a priviledge escalation problem if a user puts
". /foo/bar/script.sh" as a command for cron (oh look, another way
where user A doing something foolish can lead to user B impersonating
him, and therefore forget what I said about fixing exec*() probably
being enough).
Are we getting the idea yet? This all would just be so much more
productive if you'd just tell us what thought it was that precipitated
"how do I limit cron's capabilities?".
I just can't help but get the feeling that our partial picture
will lead you to doing something that produces an undeserved sense of
security.
More information about the bblisa
mailing list