HPE Community
Operating System - HP-UX
1833758 Members
3358 Online
110063 Solutions
New Discussion

Re: Ability of non root user to modify root cron

 
Mike Kapsak
Advisor

‎10-25-2001 09:51 AM

‎10-25-2001 09:51 AM

Ability of non root user to modify root cron

A user has a sign-on to gl and jobtrack apps only. He is responsible for several entries in the root cron. From time to time he requests changes to these entries. The changes are then taken care of by a root user. Can this user be setup to modify the root cron without giving him root capability.

Thanks
0 Kudos
Reply
4 REPLIES 4
Ron Cornwell
Trusted Contributor

‎10-25-2001 09:58 AM

‎10-25-2001 09:58 AM

Re: Ability of non root user to modify root cron

To give someone acces to root's crontab you just have to modify the permissions on the file itself /var/adm/cron/root. THIS IS A HUGE SECURITY RISK. The best way is to modify your current setup so that this users cron jobs run from their own crontab file. This can be done with SUID files and the lot. HTH
0 Kudos
Reply
Victor BERRIDGE
Honored Contributor

‎10-25-2001 10:47 AM

‎10-25-2001 10:47 AM

Re: Ability of non root user to modify root cron

Hi,
If that person has to modify the root cronfile, you could use sudo (download it from your favorite porting center) to let him be root while executing crontab (sudo /usr/bin/su root -c /usr/bin/crontab...)...


All the best

Victor
0 Kudos
Reply
Alan Riggs
Honored Contributor

‎10-25-2001 11:07 AM

‎10-25-2001 11:07 AM

Re: Ability of non root user to modify root cron

This is simply a bad idea.

The ability to modify root's cron is the ability to run a root kit at will. At the most I would recommend allowing the person to see a copy of the cronfile and modify it accordingly. A root user could then compare the changes, make sure they are safe, then activate teh cronfile.

Even this is a security risk if any command executed by the cronfile is modifiable by the user(s) in question, but it is better than just opening up root cron directly.
0 Kudos
Reply
Darrell Allen
Honored Contributor

‎10-25-2001 11:19 AM

‎10-25-2001 11:19 AM

Re: Ability of non root user to modify root cron

Hi Mike,

First, root's crontab is powerful. I wouldn't want anyone but a sysadmin modifying it. Do you really want to let a user run anything he wants as root? Not a good thing.

You could let / help the user set up his own crontab and use sudo or possibly a setuid script / program (and this is dangerous - don't let it be writable) if his tasks have to be performed as root. Even then, I'd only do so if the tasks absolutely had to run as root and I wouldn't allow him to modify the script. In the end you come back to having a sysadmin make the change anyway.

It's just a very bad thing to give up root access in any form.

Darrell
"What, Me Worry?" - Alfred E. Neuman (Mad Magazine)
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.