jail cronjob?

[BestBoard]

Hi,
i have a security problem with cronjobs on my server.
any user that have a cronjob access can run whatever he want.
for example:
cat /etc/passwd > passwd

and he'll get it to his home folder.

i tried to jail a user and check if it make a change, but it didn't.

do you know any way to prevent it?

Thanks.

 

[mr.applesauce]

Why are you afraid of someone looking at /etc/passwd? You cant look at password hashes.

 

[BestBoard]

it was an example.
he can look everywhere..

another example
i have a customer that have a big forum.
his config file in:
/home/bigf/public_html/forum/includes/config.php

anyone with cronjob access can get his database information easy.

cat /home/bigf/public_html/forum/includes/config.php > config.php

 

[Dravu]

hmm...just tested this myself. Ownership and permissions don't effect it at all. Personally, I feel cron jobs for users should come jailed by default.

 

[DirectAdmin Support]

Hello,

Part of these tips:
http://help.directadmin.com/item.php?id=247

Number 9:
http://help.directadmin.com/item.php?id=254
which is already implemented into DA as BETA:
http://www.directadmin.com/features.php?id=961

Which will solve the "see in" issue.

Simply add this to your directadmin.conf:

secure_access_group=access

then restart DA.. then type:

echo "action=rewrite&value=secure_access_group" >> /usr/local/directadmin/data/task.queue

to update it for existing users if you want.

Note that this is in beta still, but is promising as a solid solution to the issue of standard unix perimssions on public_html folders.

EDIT: regarding jailing a cronjob, that would require all binaries that the cron needs to be copied to the users home directory. This would use up huge amounts of space if each user got a copy of all the binaries on the system, hence it's not used, even though it is the most secure.

John