[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: sh script from cron

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: Re: sh script from cron
From: Ben Goren <ben_(_at_)_trumpetpower_(_dot_)_com>
Date: Wed, 1 Dec 2004 14:17:23 -0700

On 2004 Dec 1, at 1:12 PM, Gabriel Cosentino de Barros wrote:

>> [...] And it's not a
>> terrible idea to treat scripts for cron jobs akin to CGIs and be
>> paranoid about validating all inputs, etc.
>
> What's so wrong with cron. sorry, i don't think i got the picture here.

In Roy's case, he was using it to check a Web site. If that site could 
be hijacked in such a way that it made curl vulnerable....

If you had cron call something in $HOME/bin, and that checked a config 
file of its own, there're two more avenues of attack.

Paranoid programming is a good idea in any case. It's just that cron 
adds the extra bits of automated and non-interactive running...which 
gives an attacker lots of chances to get it right and  means that you 
might not even know if something's gone worng.

Of course, if you're just doing something like this:

45      1       *       *       *       cd /usr/src && cvs -q up -PAd 
-rOPENBSD_3_5

then you probably don't have much to worry about. Assuming you trust 
$CVSROOT....

Cheers,

b&

[demime 0.98d removed an attachment of type application/pgp-signature which had a name of PGP.sig]

References:
- Re: sh script from cron
  - From: Gabriel Cosentino de Barros

Prev by Date: Re: dhclient and /etc/myname
Next by Date: Re: dhclient and /etc/myname
Previous by thread: Re: sh script from cron
Next by thread: Re: firewall/router configuration trouble
Index(es):
- Date
- Thread

Visit your host, monkey.org