Bug 143191
Summary: | (*system*) BAD FILE MODE | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Jorge <jnovonj> |
Component: | crontabs | Assignee: | Jason Vas Dias <jvdias> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Brock Organ <borgan> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 3 | ||
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | vixie-cron-4.1-20_EL3 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2005-01-26 16:13:26 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jorge
2004-12-17 09:00:15 UTC
By default, ISC cron 4.1 enforces that all crontab files MUST have mode 0600, and cannot be links - otherwise, they are ignored. This was a security feature to close known vulnerabilities in cron. We relaxed this somewhat to allow group/other read access - group/other write access or any execute access is still not allowed. So to fix this, do : # chmod a-x,og-w /etc/cron.d/* /var/spool/cron/* In vixie-cron-4.1-21 for FC3, I'm going to add the '-m <mode>' option, where '<mode>' is a 'umask'-like mask of crontab file mode bits NOT TO ACCEPT - by default, this is now 07133 - ie. any of setuid/setgid/sticky, ugo-execute, or group/other write. With the '-m' option, you'll be able to disable all mode checking with '-m 0', which will also disable link checking . This bug has been fixed with vixie-cron-4.1-20_FC3 (and now also with vixie-cron-4.1-21_FC3) . 1. crond will now accept read-only crontab files by default 2. crond now has a '-p' option to turn off the default rejection of crontabs that have any of: - Write permission for group / other - any execute permission - more than one link |