Date: Fri, 13 Jan 2012 11:28:10 -0800 From: "David O'Brien" <obrien@freebsd.org> To: Chris Rees <crees@freebsd.org> Cc: freebsd-rc@freebsd.org Subject: Re: Problem with LOGIN and cron Message-ID: <20120113192810.GA87287@dragon.NUXI.org> In-Reply-To: <CADLo838ygJPVCdkai-Ui6eRKt4cZ3tX9Xj67KxmRKc10tLcDag@mail.gmail.com> References: <20120112234424.GA41056@dragon.NUXI.org> <CADLo838ygJPVCdkai-Ui6eRKt4cZ3tX9Xj67KxmRKc10tLcDag@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Jan 13, 2012 at 07:11:01AM +0000, Chris Rees wrote:
> On 12 January 2012 23:44, David O'Brien <obrien@freebsd.org> wrote:
> > 'LOGIN' states:
> > This is a dummy dependency to ensure user services such as xdm,
> > inetd, cron and kerberos are started after everything else, in
> > case the administrator has increased the system security level
> > and wants to delay user logins until the system is (almost) fully
> > operational.
> >
> > So based on that, 'securelevel' should have:
> > +# REQUIRE: sysctl
> > +# BEFORE: LOGIN
> > Otherwise a cronjob could act against securelevel=1+ for a short peroid
> > of time.
>
> Hm, but what if I have an @reboot line in crontab, that relies on
> securelevel <1?
Can you give an example?
$ man cron | grep @reboot
{empty}
$ man crontab | grep @reboot
{empty}
> Can't we change the wording in the docs instead?
We could, but that would sweep what I feel may be a security issue under
the rug.
--
-- David (obrien@FreeBSD.org)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120113192810.GA87287>