[Clip] CLIP kickstart file adds overly restrictive permissions to cron files

Brandon Whalen bwhalen at tresys.com
Mon Mar 30 19:52:24 CDT 2009 

On 3/27/09 1:05 PM, "James Homer" <James.Homer at nexor.com> wrote:

> I have been doing some testing customised logrotate configuration and I think
> that the files in
> 
> /etc/cron.daily (and others)
> 
> Have the permissions set to be too restrictive to allow them to function as
> expected. I have set the permissions as follows
> 
> -rwx------ 1 root root 183 Mar 27 04:07 /etc/cron.daily/logrotate
> 
> and the log rotation appears to know work under the control of crond. This may
> be the desired behaviour however the notes in the kickstart file suggest that
> some may require 700 but I don't have access to the UNIX checklist mentioned
> 
> <snip>
> ## ... The SA will ensure crontabs have
> ## permissions of 600, or more restrictive, (700 for some Linux crontabs,
> which
> ## is detailed in the UNIX Checklist).
> chmod -R 600 /etc/cron.daily
> chmod -R 600 /etc/cron.hourly
> chmod -R 600 /etc/cron.weekly
> chmod -R 600 /etc/cron.monthly
> chmod 600 /etc/crontab
> chmod -R 600 /etc/cron.d
> </snip>
> 
> 
> I am happy to update this locally for my purposes but thought I should bring
> it to light. The lines I would suggest need changing are
> 
> chmod -R 700 /etc/cron.daily
> chmod -R 700 /etc/cron.hourly
> chmod -R 700 /etc/cron.weekly
> chmod -R 700 /etc/cron.monthly
> 
This looks like a valid bug in clip. Since CLIP is setting the files to 600
we were passing the SRR checks for anything more permissive than 700 and not
seeing failures. I have created a bug [1] and will update the list when it
has been fixed. Thanks for the find James.

[1] http://oss.tresys.com/projects/clip/ticket/34
> 
> 
> 
> --
> James Homer CEng MBCS CITP
> Senior Technical Consultant
> CESG Listed Advisor Scheme Member
> Nexor
> 
> DDI: +44 (0) 115 952 0587
> Tel: +44 (0) 115 952 0500
> Fax: +44 (0) 115 952 0519
> mailto:james.homer at nexor.com
> http://www.nexor.com
> 
> Nexor is recognised as an Investor in People and is accredited to ISO
> 9001/TickIT and ISO/IEC27001:2005.  Further details of Nexor's accreditations
> can be found on our website.
> 
> DISCLAIMER: Privileged or confidential information may be contained in this
> message or within any files transmitted with it. If you are not the intended
> recipient, kindly destroy the message and notify the sender by reply email.
> Opinions, conclusions and other information in this message that do not relate
> to the official business of Nexor are neither given nor endorsed by it.
> 
> Nexor Limited, Bell House, Nottingham Science and Technology Park, University
> Boulevard, Nottingham, NG7 2RL A company registered in England, No: 05152465
>  
> _______________________________________________
> Clip mailing list
> Clip at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/clip

More information about the Clip mailing list