allowing users to run crontab

Todd C. Miller Todd.Miller at courtesan.com
Wed Jul 30 15:17:23 EDT 2003


In message <77F055FA968580429F4546414D8C10E7011D05F9 at s102b.rhcci.net>
	so spake "Mike Bethune" (Mike.Bethune):

> yes I know that but I don't allow access to run the suid root binary crontab.
>   the permissions are that only root can execute it, and I wanted to let only
>  some users run it by using sudo...

It still seems like you are better off letting normal users run
crontab and just using cron.{allow,deny} to restrict it.

Depending on the implementation you may be able to crontab setgid
instead of setuid root.  This requires that you add a "crontab"
group and make things like cron's FIFO and the crontabs dir writable
by the group.  If crontab(1) isn't smart enough to drop its gid in
addition to its uid this can be dangerous though.

 - todd


More information about the sudo-users mailing list