Date: Fri, 13 Jan 2012 11:28:10 -0800 From: "David O'Brien" <obrien@freebsd.org> To: Chris Rees <crees@freebsd.org> Cc: freebsd-rc@freebsd.org Subject: Re: Problem with LOGIN and cron Message-ID: <20120113192810.GA87287@dragon.NUXI.org> In-Reply-To: <CADLo838ygJPVCdkai-Ui6eRKt4cZ3tX9Xj67KxmRKc10tLcDag@mail.gmail.com> References: <20120112234424.GA41056@dragon.NUXI.org> <CADLo838ygJPVCdkai-Ui6eRKt4cZ3tX9Xj67KxmRKc10tLcDag@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Jan 13, 2012 at 07:11:01AM +0000, Chris Rees wrote: > On 12 January 2012 23:44, David O'Brien <obrien@freebsd.org> wrote: > > 'LOGIN' states: > > This is a dummy dependency to ensure user services such as xdm, > > inetd, cron and kerberos are started after everything else, in > > case the administrator has increased the system security level > > and wants to delay user logins until the system is (almost) fully > > operational. > > > > So based on that, 'securelevel' should have: > > +# REQUIRE: sysctl > > +# BEFORE: LOGIN > > Otherwise a cronjob could act against securelevel=1+ for a short peroid > > of time. > > Hm, but what if I have an @reboot line in crontab, that relies on > securelevel <1? Can you give an example? $ man cron | grep @reboot {empty} $ man crontab | grep @reboot {empty} > Can't we change the wording in the docs instead? We could, but that would sweep what I feel may be a security issue under the rug. -- -- David (obrien@FreeBSD.org)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120113192810.GA87287>