Date: Fri, 15 Jun 2001 15:57:46 -0700 (PDT) From: Brad Huntting <huntting@glarp.com> To: freebsd-gnats-submit@FreeBSD.org Subject: misc/28188: Cron is being started to early in /etc/rc (potential security hole) Message-ID: <200106152257.f5FMvkC67939@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 28188
>Category: misc
>Synopsis: Cron is being started to early in /etc/rc (potential security hole)
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Fri Jun 15 16:00:02 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator: Brad Huntting
>Release: 4.3
>Organization:
Univ of Colorado Boulder
>Environment:
FreeBSD hunkular.glarp.com 4.3-STABLE FreeBSD 4.3-STABLE #0: Mon May 14 18:39:38 MDT 2001 root@hunkular.glarp.com:/usr/src/sys/compile/HUNKULAR i386
>Description:
Cron allows users to run jobs at boot time by specifying "@reboot".
While this is a very usefull feature, it is also a potential security
hole if these jobs are started before the kern.securelevel level is
raised.
>How-To-Repeat:
Put these in /etc/rc.conf
kern_securelevel_enable="YES"
kern_securelevel="0"
And put this in your (non-root) crontab file:
@reboot /sbin/sysctl kern.securelevel
And reboot. You should get a mail message indicating that your cron
job was run with kern.securelevel=-1. Not something ordinary users
should really be doing.
>Fix:
in /etc/rc, start cron _after_ kern.securelevel is set:
--- /etc/rc.orig Fri Jun 15 16:42:02 2001
+++ /etc/rc Fri Jun 15 16:42:06 2001
@@ -483,14 +483,6 @@
;;
esac
-case ${cron_enable} in
-[Nn][Oo])
- ;;
-*)
- echo -n ' cron'; ${cron_program:-/usr/sbin/cron} ${cron_flags}
- ;;
-esac
-
case ${lpd_enable} in
[Yy][Ee][Ss])
echo -n ' printer'; ${lpd_program:-/usr/sbin/lpd} ${lpd_flags}
@@ -691,6 +683,14 @@
echo 'Raising kernel security level: '
sysctl -w kern.securelevel=${kern_securelevel}
fi
+ ;;
+esac
+
+case ${cron_enable} in
+[Nn][Oo])
+ ;;
+*)
+ echo 'Starting cron'; ${cron_program:-/usr/sbin/cron} ${cron_flags}
;;
esac
(forgive me, but the tabs->spaces thing will probably corrupt this patch,
but you get the idea).
thanx,
brad
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200106152257.f5FMvkC67939>