Problem with LOGIN and cron
David O'Brien
obrien at freebsd.org
Fri Jan 13 19:28:11 UTC 2012
On Fri, Jan 13, 2012 at 07:11:01AM +0000, Chris Rees wrote:
> On 12 January 2012 23:44, David O'Brien <obrien at freebsd.org> wrote:
> > 'LOGIN' states:
> > This is a dummy dependency to ensure user services such as xdm,
> > inetd, cron and kerberos are started after everything else, in
> > case the administrator has increased the system security level
> > and wants to delay user logins until the system is (almost) fully
> > operational.
> >
> > So based on that, 'securelevel' should have:
> > +# REQUIRE: sysctl
> > +# BEFORE: LOGIN
> > Otherwise a cronjob could act against securelevel=1+ for a short peroid
> > of time.
>
> Hm, but what if I have an @reboot line in crontab, that relies on
> securelevel <1?
Can you give an example?
$ man cron | grep @reboot
{empty}
$ man crontab | grep @reboot
{empty}
> Can't we change the wording in the docs instead?
We could, but that would sweep what I feel may be a security issue under
the rug.
--
-- David (obrien at FreeBSD.org)
More information about the freebsd-rc
mailing list