[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: sh script from cron
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Re: sh script from cron
- From: Ben Goren <ben_(_at_)_trumpetpower_(_dot_)_com>
- Date: Wed, 1 Dec 2004 14:17:23 -0700
On 2004 Dec 1, at 1:12 PM, Gabriel Cosentino de Barros wrote:
>> [...] And it's not a
>> terrible idea to treat scripts for cron jobs akin to CGIs and be
>> paranoid about validating all inputs, etc.
> What's so wrong with cron. sorry, i don't think i got the picture here.
In Roy's case, he was using it to check a Web site. If that site could
be hijacked in such a way that it made curl vulnerable....
If you had cron call something in $HOME/bin, and that checked a config
file of its own, there're two more avenues of attack.
Paranoid programming is a good idea in any case. It's just that cron
adds the extra bits of automated and non-interactive running...which
gives an attacker lots of chances to get it right and means that you
might not even know if something's gone worng.
Of course, if you're just doing something like this:
45 1 * * * cd /usr/src && cvs -q up -PAd
then you probably don't have much to worry about. Assuming you trust
[demime 0.98d removed an attachment of type application/pgp-signature which had a name of PGP.sig]