Cron gets the username from the filename, not the actual ownership of the file. (At least, on a default Dapper, this happens for files in /var/spool/cron/crontabs, where they end up if edited through crontab -e, for instance. Newer incantations seem to expect a username on the cronjob line.)
If the user "core" does not exist, a crontab -- at least, in /var/spool/cron/crontabs, haven't investigated /etc/cron.d and friends -- called "core" will be ignored by crond and an error message indicating the failure will be logged; otherwise, its jobs, if any, are run as the user core.
So if a user without root privileges can cause core files to be called "root", you're in trouble. On my default Dapper, this cannot be easily done -- but YMMV. ;-)
Oh, and yes, my Dapper also checks whether the file owner is actually the user indicated by the crontab filename. Phew. ;-)
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds