Secure way to update cron from a LAMP web page

Question

I need to be able to update the scheduled run times for various jobs from a web page and I am looking for a secure way to do it on a Red Hat Enterprise Linux system. Obviously editing the crontab file directly is a no-no and we limit PHP access to its application directory anyway. Best I can can come up with is to create the updated file in the application directory (one level below webroot) then sudo exec a script that validates the file and moves it into the cron.d directory. Is this secure or is there a better way to do it?

Thanks

Mark

Answer 1

To me, this seems like a huge security hole and I definitely wouldn't recommend writing either directly or indirectly to crontab. Should you somehow overlook even one small part of securing the "validators" you mention above, a malicious user would easily be able to compromise your entire server.

Follow Jim's solution and use some sort of framework if possible; hopefully open source and under active development by multiple developers.

If all of the processes to be added are similar, I would recommend an alternative, such as creating a cron job that will execute one specific script as a non-privileged user every lowest common denominator number of minutes and add all the functionality to execute the other processes to this one file and make sure you hard code as much as possible and rely as little as possible on user input and make sure you escape everything that the user inputs.

Answer 2

Your best bet would be to find one of the various crontab packages out there that are basically some scripts that emulate crontab. Unless you have the ability to install something like CPanel or Plesk.

Answer 3

How about using the crontab command? You could create a file in /tmp called newcronjobs.txt with the cron entries you want to add. And the call crontab /tmp/newcronjobs.txt This should add all of the new jobs. I would assume this is pretty secure but just a thought.