Of cron and permissions

09Aug06

Learnt something new about cron today..

==History==

A while back, this little vulnerability came up regarding a vulnerability in the Linux kernel in handling core dumps. In a nutshell, attackers could get a root shell on a vulnerable machine by dumping core to /etc/cron.d and waiting a little more than a minute.

==Now==

Back when the vulnerabililty was announced, a short workaround was also posted. This simple workaround recommended setting chmod 750 /etc/cron.*, seemingly based on the fact that the sample exploit code required a change in directory to /etc/cron.d before dumping core.

The reasoning went that if a user couldn’t even get into /etc/cron.d or /etc/cron.* for that matter, the core wouldn’t be able to be dumped it the directory and be exploited.

Now, when we were implementing this workaround on one of our servers, we (ok, I) got a little over-zealous and ended up giving those 750 permissions to /etc/cron[.]*/*.

As you can figure.. this was a Bad Thing.

cron just about gave up on us after that, with this beautiful little nugget after restarting the daemon
myserver crond[14938]: (CRON) STARTUP (V5.0)
myserver crond[14938]: (*system*) BAD FILE MODE (/etc/crontab)
myserver crond[14938]: (*system*) BAD FILE MODE (/etc/cron.d/mailman)

and crond resolutely refused to run any scripts in /etc/cron.* after that.

It took a bit of digging, but the solution was simple…

… DO NOT chmod 750 /etc/cron.*/*. BAD IDEA.

We got back our friendly crond after pacifying it with some nicer permissions as show below

  • /etc/crontab ——- 644
  • /etc/cron.d ——– 754
  • /etc/cron.d/* —— 644
  • /etc/cron.*ly ——- 750
  • /etc/cron.*ly/*—– 500

Well, at least cron‘s happy now. And our scripts run fine.

(The /etc/cron.*/* scripts should run so long as they’re set executable by root, which is the user that cron executes the scripts under. You just need this 750 workaround for the /etc/cron.* directories themselves)

About these ads


4 Responses to “Of cron and permissions”

  1. Cheers dude, that helped me out quite a bit!! Shame the error message doesn’t give you a clue as to what the permissions should be.

  2. Hello there! This blog post could not be written much better!

    Going through this article reminds me of my previous roommate!
    He constantly kept preaching about this. I most certainly will forward
    this post to him. Fairly certain he’ll have a good read. Thank you for sharing!

  3. Hello there, You’ve done a great job. I’ll certainly digg it and personally recommend
    to my friends. I am confident they will be benefited from
    this site.

  4. Since a good number of years this strength has been demonstrated well by PS Custom Homes while providing the Remodel Quest In Cityvilleing and
    home building team. For others, it can still cause the problems.
    Step one involves prepping the kitchen for the Remodel Quest In Cityville.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Follow

Get every new post delivered to your Inbox.

%d bloggers like this: