Topic: cron

[Bruce]

I have an e-smith box at home and want to excute a small file copy script hourly.
I have seen how to set this up in e-smith somewhere, but for the life of me I cannot find it again.
Can someone point me in the right direction.

Thanks.

[David Helmuth]

Just write a small shell script to do the copy...

cp /path/filename /destpath/destfilename

Then place the file in the ..

/etc/cron.hourly

directory....

FYI  Admin will get a notice everytime this runs...

[Peter Hollandare]

Make a file in /etc/cron.hourly
chmod 777

Done.

[Colin Hogben]

> Make a file in /etc/cron.hourly
> chmod 777 file

Erk!  777 gives world-write permission to a file executed by root.  You don't want to do that.

  chmod 755 file

at most, maybe even 700.

[Peter Hollandare]

Colin Hogben wrote:
 
> Erk!  777 gives world-write permission to a file executed by
> root.  You don't want to do that.

Eh? Quit the bullshit.

If you create this file as root (under a normal install with e-smith) *NO ONE* else than root could execute this file.

Afterall to set rules with ipchains is a "root" thing, and a "root" thing ONLY!
So chmod 777 is just fine.

[Colin Hogben]

> If you create this file as root (under a normal install with
> e-smith) *NO ONE* else than root could execute this file.

> Afterall to set rules with ipchains is a "root" thing, and a
> "root" thing ONLY!
> So chmod 777 is just fine.

I think it is a security risk because any user with access to the filesystem can get root access.  E.g. if a security loophole compromises a daemon running as user nobody, the attacker can append or overwrite the file with naughty commands, which then get executed as root next time the cron job runs.  I.e. a non-root compromise gets escalated to a root compromise.

Having said that, I am not an expert on e-smith so maybe there is some other factor in play, such as everything else being chrooted or somesuch, so I stand to be corrected.

[Kirrily Robert]

Colin Hogben wrote:

> I think it is a security risk because any user with access to
> the filesystem can get root access.  E.g. if a security
> loophole compromises a daemon running as user nobody, the
> attacker can append or overwrite the file with naughty
> commands, which then get executed as root next time the cron
> job runs.  I.e. a non-root compromise gets escalated to a
> root compromise.
>
> Having said that, I am not an expert on e-smith so maybe
> there is some other factor in play, such as everything else
> being chrooted or somesuch, so I stand to be corrected.

Colin, you're absolutely right.  Files should never (or at least VERY seldom, and only if you know exactly what you're doing) be mode 777, and ESPECIALLY not when they're owned by root.

As Colin pointed out, anyone with access to the filesystem could write their own commands into the file, then they would be run the next hour and could destroy the system or something.  The cron jobs in /etc/cron.hourly are not run chrooted or otherwise protected (wouldn't be able to do their jobs that way) so that won't save you.

In the interests of further promoting the e-smith architecture, I should probably also recommend that you put your script in /etc/e-smith/templates-custom/etc/cron.hourly rather than just in /etc/cron.hourly -- that will mean it gets backed up as a custom configuration, and keeps all your special additions to the server separate so you can find and manage them more easily.

K.