Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report. Summary: Review Request: fcron, a task scheduler https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=185531 ------- Additional Comments From fcron@xxxxxxx 2006-03-23 15:13 EST ------- (In reply to comment #23) > I have tried to run fcrontab. To avoid a warning, I made a patch I attach. Your patch is very dangerous on the security point of view. As a matter of fact, you don't check that the file is not writable by someone else than root. As a result, if the administrator makes a mistake and the rights of fcron.conf become -rw-rw-rw (or -rw-rw--- if the attacker is able to compromise say fcrontab), then an attacker could change the sendmail line to something as: sendmail = /my/dangerous/program and /my/dangerous/program would be executed as root by fcron. The strict test is here to avoid this ... By the way, why would you like the group or the user to be able to write in /etc/fcron.conf ?? If you just want anyone to be able to read /etc/fcron.conf so as to remove a suid bit to fcrondyn, then you don't need this patch... just set the rights of the file to be 644 ! > But > unfortunately fcrontab don't work, as root or as a user. > > As root: > [root@localhost log]# fcrontab /etc/crontab > 22:51:51 Could not authenticate user using PAM (4): System error > > As a user: > 22:49:06 Could not change egid to fcron[505]: Operation not permitted > > Nothing appears in logs. fcrontab needs the suid bit for the group too, so its rights should be 6755 and not 4755 as in your patch. (but I'm not sure about the PAM error as root: it may be something else). -- Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA contact for the bug, or are watching the QA contact. -- fedora-extras-list mailing list fedora-extras-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-extras-list
