禁用“www-data”用户的cron
[英]disable cron for “www-data” user
问题描述
My old debian server is running php as dso and some malicious scripts are always adding cron for system user "www-data". 
我的旧debian服务器运行php作为dso,一些恶意脚本总是为系统用户“www-data”添加cron。 I could see too many malicious crons getting added for this user some how. 我可以看到为这个用户添加了太多的恶意crons。 As the server is running php as dso, we are unable to track the exact process adding the cron. 由于服务器运行php作为dso,我们无法跟踪添加cron的确切进程。
Q. How can i disable "www-data" from adding crons further. 问:如何禁用“www-data”进一步添加crons。 like disabling entire cron mechanism for the user? 比如为用户禁用整个cron机制? Is that possible? 那可能吗?
Q. How can we find which php script does this cron edit? 问:我们怎样才能找到这个cron编辑的PHP脚本?
I could see the below in cron documentation. 我可以在cron文档中看到以下内容。
"at.allow and at.deny" “at.allow和at.deny”
You can also use the /etc/at.allow and /etc/at.deny files to manage who can schedule jobs with at. 您还可以使用/etc/at.allow和/etc/at.deny文件来管理可以使用at调度作业的人员。
The /etc/at.allow file can contain a list of users that are allowed to schedule at jobs. /etc/at.allow文件可以包含允许在作业中计划的用户列表。 When /etc/at.allow does not exist, then everyone can use at unless their username is listed in /etc/at.deny. 当/etc/at.allow不存在时,除非他们的用户名在/etc/at.deny中列出,否则每个人都可以使用at。
There is /etc/at.deny file and "www-data" is there meanwhile it still can execute crons 有/etc/at.deny文件和“www-data”同时它仍然可以执行crons
1 个解决方案
解决方案1
5 2017-03-22 16:36:47
Finally I have found a solution of my own adjusted cron settings for the apache user in such a way that "www-data" user is not able to add cron any more. 最后,我找到了一个针对apache用户自己调整的cron设置的解决方案,使得“www-data”用户无法再添加cron。
touch /var/spool/cron/crontabs/www-data;
Below is the result of the above adjustments. 以下是上述调整的结果。
su www-data
$
$ crontab -e
crontabs/www-data/: fdopen: Permission denied$
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.