HPE Community
Operating System - HP-UX
1834319 Members
2037 Online
110066 Solutions
New Discussion

Re: cron - security

 
SOLVED
Go to solution
Tom Dawson
Regular Advisor

‎03-31-2003 04:46 AM

‎03-31-2003 04:46 AM

cron - security

All,

I've noticed that in the AusCERT "UNIX Security Checklist v2.0", they recommend that I "CONSIDER disallowing cron for regular users".

I'm inclined to do this for scheduling/performance reasons. But can somebody explain to me what the security risks might be of allowing cron access to regular users?

Thanks,
Tom
0 Kudos
Reply
10 REPLIES 10
harry d brown jr
Honored Contributor

‎03-31-2003 04:49 AM

‎03-31-2003 04:49 AM

Solution

Re: cron - security

I guess I would ask: Why do regular users need to use cron? If it's something that they need, then maybe they need to place it into a production process that should be monitored.

my $.02

live free or die
harry
Live Free or Die
Reply
Ian Dennison_1
Honored Contributor

‎03-31-2003 04:55 AM

‎03-31-2003 04:55 AM

Re: cron - security

Because you lose central control of the scheduling process, which can lead in performance problems and workload issues.

Share and Enjoy! Ian
Building a dumber user
Reply
Pete Randall
Outstanding Contributor

‎03-31-2003 05:06 AM

‎03-31-2003 05:06 AM

Re: cron - security

Tom,

As a general rule, I want the developers to come to me and explaing exactly what their process does and exactly why they have to have it regularly scheduled before I'll allow it on MY system. I'm the one that's responsible for the system's performance, so I want to know what's scheduled and when. It's more of a control issue than a security issue to me.


Pete

Pete
Reply
john korterman
Honored Contributor

‎03-31-2003 05:19 AM

‎03-31-2003 05:19 AM

Re: cron - security

Hi Tom,
if the system administrator is not solely responsible for the running of all cron jobs, he/she is not able to detect which jobs look supicious - thus allowing more room for hackers, e.g. via anonymous ftp downloads.

regards,
John K.
it would be nice if you always got a second chance
Reply
David_246
Trusted Contributor

‎03-31-2003 05:20 AM

‎03-31-2003 05:20 AM

Re: cron - security

Hi Tom,

In other words, try to minimize the use of cron for regular users. It can affect your system heavily. So if they need the use of cron, explain them their responsibilities.

Sorry, but I don't believe in "it's my system" anymore, that was 20 years ago. Now it has become the bussiness system and we only recommend.

Although, when they start fingerpointing, make sure you have explained the risks, so you can point back :)


Regs David
@yourservice
Reply
Steven E. Protter
Exalted Contributor

‎03-31-2003 05:34 AM

‎03-31-2003 05:34 AM

Re: cron - security

Our policy allows cron for the following users:

root
oracle
sag

The last two users own large database applications that require a complex schedule of events to stay running in an optimized fashion.

Regular users have no need for cron and its a security and performance hazard. Its not like windows where everyone gets a schedule and most don't use it. We don't let our Windows users see or change that schedule either.

Don't consider disallowing cron for regular users, do it.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
Ian Dennison_1
Honored Contributor

‎03-31-2003 06:15 AM

‎03-31-2003 06:15 AM

Re: cron - security

David,

How about "Its MY job to save you from yourself?" In my experience, if you do not assert your responsibility for the OS as the resident expert in that area, any non-SysAdmin armed with a couple of buzzwords can make your life merry hell!

I dislike the "Us vs Them" situation too, but it's "Them" that usually need to adjust their perception.

Share and Enjoy! Ian
Building a dumber user
Reply
Pete Randall
Outstanding Contributor

‎03-31-2003 06:28 AM

‎03-31-2003 06:28 AM

Re: cron - security

And "Them" aren't usually there to help when the system crashes, unless it's to ask "Us" why it's taking so long to get "Their" system back up.

;^)

Pete
Reply
David_246
Trusted Contributor

‎03-31-2003 06:49 AM

‎03-31-2003 06:49 AM

Re: cron - security

Hee, What would do you like more to do ??

Adding a cron user, or bringing a system back online due to a user failure ?

I'dd prefer the more challenging one :)

If you have things covered well enough these are the moments you can get your advantages out of!

Maybe, I like it too much to play, Pete :)


Best Regs David
@yourservice
Reply
Tom Dawson
Regular Advisor

‎03-31-2003 08:16 AM

‎03-31-2003 08:16 AM

Re: cron - security

All,

Thanks for the replies. You've all pointed out most of the same reasons why I'm disinclined to give out cron access. In our shop, the dispute is over whether to allow it for the oracle user. I'm leaning strongly towards not allowing it so that I can maintain better control over scheduling, and indirectly, system performance.

Thanks again,
Tom
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.