Of cron and permissions
Learnt something new about cron today..
==History==
A while back, this little vulnerability came up regarding a vulnerability in the Linux kernel in handling core dumps. In a nutshell, attackers could get a root shell on a vulnerable machine by dumping core to /etc/cron.d and waiting a little more than a minute.
==Now==
Back when the vulnerabililty was announced, a short workaround was also posted. This simple workaround recommended setting chmod 750 /etc/cron.*, seemingly based on the fact that the sample exploit code required a change in directory to /etc/cron.d before dumping core.
The reasoning went that if a user couldn’t even get into /etc/cron.d or /etc/cron.* for that matter, the core wouldn’t be able to be dumped it the directory and be exploited.
Now, when we were implementing this workaround on one of our servers, we (ok, I) got a little over-zealous and ended up giving those 750 permissions to /etc/cron[.]*/*.
As you can figure.. this was a Bad Thing.
cron just about gave up on us after that, with this beautiful little nugget after restarting the daemon
myserver crond[14938]: (CRON) STARTUP (V5.0)
myserver crond[14938]: (*system*) BAD FILE MODE (/etc/crontab)
myserver crond[14938]: (*system*) BAD FILE MODE (/etc/cron.d/mailman)
and crond resolutely refused to run any scripts in /etc/cron.* after that.
It took a bit of digging, but the solution was simple…
… DO NOT chmod 750 /etc/cron.*/*. BAD IDEA.
We got back our friendly crond after pacifying it with some nicer permissions as show below
- /etc/crontab ——- 644
- /etc/cron.d ——– 754
- /etc/cron.d/* —— 644
- /etc/cron.*ly ——- 750
- /etc/cron.*ly/*—– 500
Well, at least cron‘s happy now. And our scripts run fine.
(The /etc/cron.*/* scripts should run so long as they’re set executable by root, which is the user that cron executes the scripts under. You just need this 750 workaround for the /etc/cron.* directories themselves)
Filed under: centos, cron, linux | 9 Comments
slacker 
Cheers dude, that helped me out quite a bit!! Shame the error message doesn’t give you a clue as to what the permissions should be.
Hello there! This blog post could not be written much better!
Going through this article reminds me of my previous roommate!
He constantly kept preaching about this. I most certainly will forward
this post to him. Fairly certain he’ll have a good read. Thank you for sharing!
Hello there, You’ve done a great job. I’ll certainly digg it and personally recommend
to my friends. I am confident they will be benefited from
this site.
Since a good number of years this strength has been demonstrated well by PS Custom Homes while providing the Remodel Quest In Cityvilleing and
home building team. For others, it can still cause the problems.
Step one involves prepping the kitchen for the Remodel Quest In Cityville.
I do not even know how I stopped up here, however I believed
this put up was once great. I do not know who you are but definitely you are going to
a well-known blogger if you are not already.
Cheers!
Thanks alot dude appreciate this very much, God Speed
Nice answers in return of this query with genuine arguments and explaining the whole thing about that.
Das ist bekanntermaßen tipptopp, Lieben Dank!
Das hat mir gefallen und ist äußerst bemerkenswert. Die Geistesblitzefinde ich verständlich.
Solche Eingebungen sind mir genauso allerdings durch den Denkapparat gegangen. Denn ich respektiere,
dass das im Übrigen zum Besten von meinen Bücherwürmern ein zugkräftiges Thema verkörpert.
whoah this blog is great i love reading your posts. Keep up the great work! You know, lots of people are looking around for this info, you could help them greatly.