Kurt Seifried Best Practices Advisory 002 (KSBPA-002)

http://seifried.org/security/best-practices/ksbpa-002-cron.html

By Kurt Seifried, [email protected], Copyright Kurt Seifried 2001


 

Title:

Cron security

Issue date:

Sep 21, 2001

History of advisory:

Sep 21, 2001 First version of this advisory

Author:

Kurt Seifried [email protected]

Credits:

N/A

Overview:

Many Linux vendors ship cron and by default allow all users touse cron. Most users do not need access to cron and should be restricted from using it.

Vendor Contact:

N/A

Impact:

Mostpeople allow all users to access cron allowing users to evade resource limits, and in some cases exploit vulnerabilities in cron that lead to system compromise.

Details:

Many sites and vendors allow all users to access cron. This can allow users to leave programs like irc bots running even if you have security measures to kill all of a user's processes when they log out. A user would simply need to schedule a script to run once a minute that checks if their irc bot is running and if not start it. Numerous other abuses are also possible.

Solutions and workarounds:

Cron has built in support to limit which users can or cannot use it. By entering names in /etc/cron.allow a user must be listed in this file to use cron, otherwise they are denied by default, Conversely if you use /etc/cron.deny they will be denied access to cron if they are listed, if they are not listed they will be allowed to use it by default. Of course it is much safer to use /etc/cron.allow and restrict cron to only the system accounts that require access to it (such as root). For example to only allow various system accounts to use cron you would create an /etc/cron.allow with the following:

root

and so forth. To block untrusted users from using cron you would create an /etc/cron.deny with the following:

bob
joe
mary
hacker

Recommendations to vendors:

Vendors can create an /etc/cron.allow files with the users lists that require access for the system to operate properly (i.e. root). Any user not listed in here will not be allowed to use cron. Alternatively an /etc/cron.deny can be created, and with a modified "adduser" command you could prompt the administrator to block a user from being allowed to use cron (making sure the default is no).

References:

None

 


Permission is granted for copying and circulating this Bulletin to the Internet community for the purpose of alerting them to problems, if and only if, the bulletin is not edited or changed in any way, is attributed to Kurt Seifried, and provided such reproduction and/or distribution is performed for non-commercial purposes.

Any other use of this information is prohibited. Kurt Seifried is not liable for any misuse of this information by any third party.