I think the only thing perplexing about this question is the fact that you're actually trying to do it. ;-) I think most admins won't bother preventing a user from running any random commands that they have permission to run; instead I think most admins (including myself) apply permissions that are sufficiently restrictive, and the defaults are generally pretty good.
The way I prevent this problem is to assign umask 007 to every user. Set the permissions correctly one time ala chmod -R o-rwx, and never worry about world writable ever again. Sure some weird user might change his umask or explicitly make something world writable and then add something in that area to his crontab. And then if some malicious person discovered and exploited it to execute commands as janeuser instead of joeuser, I think the risk is so low, and the steps to create it would be so colossally dumb, I'm just not worried about it. Then again, all my servers are in a protected internal network. I think except for the most extreme cases of server-is-facing-internet-and-customers-use-ssh-to-login, it's an unusual level of paranoia. > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Scott Ehrlich > Sent: Wednesday, January 23, 2008 10:12 PM > To: [email protected] > Subject: [BBLISA] Appreciate the help... > > I received some interesting answers to my cron question. Most people > said it > was not possible. One person reviewed cron's source code and said the > source > would need to be modified. One person said I should mount the > filesystem with > noexec. I'll review and test the answers as best I can. > > To answer several people's curiosities of why I keep pushing - when I'm > tasked > with a quest, I try to tap all my resources, including this list, to > find a > solution. One never knows when an answer might be obvious, or > perplexing, as > this question seems to have been. To some, an answer is obvious. To > others, > it is perplexing. It all depends on each person's level of knowledge. > The > more one learns, the more things can become more obvious. Thus, we > grow. > > In the end, like now, I try to provide my findings, and, if valid, may > be of > benefit to others. > > I try not to wear out the list, but do what the list was created for - > discussion and inquiry of UNIX and related topics. This question > proved to > test people's knowledge, and I did get some good feedback. > > Thanks to all, and until the next adventure... > > Scott > > _______________________________________________ > bblisa mailing list > [email protected] > http://www.bblisa.org/mailman/listinfo/bblisa _______________________________________________ bblisa mailing list [email protected] http://www.bblisa.org/mailman/listinfo/bblisa
