Centos – /etc/crontab permissions

centoscronlinuxpermissions

The /etc/crontab file has the permissions:

-rw-r--r--

I understand that this file is for system cron jobs and other users should not have permission to modify it. The current permissions allows all users read access to the file, enabling them to view the contents.

Is it necessary for all users to be able read /etc/crontab? I believe that all users should not know some administrative commands, so wouldn't it be better to change the permissions to -rw-r-----?

I used the permission string from CentOS and have not tested it on other distros.

Best Answer

This would be security by obscurity. There is no real benefit by preventing normal users from reading /etc/crontab. Even if a user can't read the file, it's still possible to gather the executed command just by regularly capturing the process list with ps or by reading /proc.

There should be no need at all to hide some administrative commands except when you put credentials in the command-line. But you should never put credentials in the command line anyway as a normal user can read the command-line, so no real benefit.

There is a mount option/kernel patch for procfs preventing PID leakage as well as some kernel modules like grsec which prevent PID leaks.

The benefit of having the file system readable is that you can have a look/debug the system as a non root user. You don't have to switch to the root user just to check the system crontabs.

Related Solutions

What are the filesystem permissions for a cron job

On CentOS, the daily cron job gets executed as

/usr/bin/run-parts /etc/cron.daily

run-parts is a shell script. It looks through the contents of its argument (a directory), filters out things such as files that end in ~, .swp, .rpmsave, and directories, then for every file that passes the test if [ -x $i ], that is, executable by root, it runs the file.

So all the files in /etc/cron.daily that have any x bit at all turned on will be run. You can set the permissions on those files to deny read access to everyone, if you wish; it doesn't matter to root. If you have embedded passwords in the scripts that may be passed as arguments to commands, note that all /proc/*/cmdline files are publically readable, so all users can see all commands and arguments as they're being run.

Cron – How Files Under /etc/cron.d Are Used

In Debian derivatives, including Lubuntu, the files in /etc/cron.d are effectively /etc/crontab snippets, with the same format. Quoting the cron manpage:

Additionally, in Debian, cron reads the files in the /etc/cron.d directory. cron treats the files in /etc/cron.d as in the same way as the /etc/crontab file (they follow the special format of that file, i.e. they include the user field). However, they are independent of /etc/crontab: they do not, for example, inherit environment variable settings from it. This change is specific to Debian see the note under DEBIAN SPECIFIC below.

Like /etc/crontab, the files in the /etc/cron.d directory are monitored for changes. In general, the system administrator should not use /etc/cron.d/, but use the standard system crontab /etc/crontab.

The Debian-specific section hints at the reason system administrators shouldn’t use /etc/cron.d:

Support for /etc/cron.d (drop-in dir for package crontabs)

It’s designed to allow packages to install crontab snippets without having to modify /etc/crontab.

Best Answer

Related Solutions

What are the filesystem permissions for a cron job

Cron – How Files Under /etc/cron.d Are Used

Related Question