[OpenAFS] Cron jobs without service keytab

Russ Allbery rra@stanford.edu
Sat, 10 Apr 2004 11:54:37 -0700


Lukas Kubin <kubin@opf.slu.cz> writes:

> The problem is the standard cron doesn't keep users' jobs inside that
> PAG. It uses some PAM methods instead and runs the users' processes so
> thay don't receive the servers' privileges.

So what you're saying is that crond destroys the PAG that you're running
it in when it switches users to run an individual user's job?  Hm.  I
thought that PAGs survived across setuid(), but maybe I'm wrong.

> Also such solution would cause a security issue by allowing any users'
> cron job to write to all directories with appropriate ACLs allowing
> crond to write into them. It means it would allow anybody to write to
> other users' cron-writable directories.

That's what you said you wanted.  :)  If you don't want to just use
cron/machine, then you have a different problem.

> Does anybody know of any other solution running cron jobs without
> storing keytabs in filesystem?

You're going to have to store a keytab somewhere if you want cron to
authenticate.  There is absolutely no way around it.

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>