From owner-freebsd-rc@FreeBSD.ORG  Fri Jan 13 19:28:11 2012
Return-Path: <owner-freebsd-rc@FreeBSD.ORG>
Delivered-To: freebsd-rc@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 80BDD1065670;
	Fri, 13 Jan 2012 19:28:11 +0000 (UTC) (envelope-from obrien@NUXI.org)
Received: from dragon.nuxi.org (trang.nuxi.org [74.95.12.85])
	by mx1.freebsd.org (Postfix) with ESMTP id 282A38FC0A;
	Fri, 13 Jan 2012 19:28:11 +0000 (UTC)
Received: from dragon.nuxi.org (obrien@localhost [127.0.0.1])
	by dragon.nuxi.org (8.14.5/8.14.5) with ESMTP id q0DJSAF7087368;
	Fri, 13 Jan 2012 11:28:10 -0800 (PST)
	(envelope-from obrien@dragon.nuxi.org)
Received: (from obrien@localhost)
	by dragon.nuxi.org (8.14.5/8.14.4/Submit) id q0DJSAO0087367;
	Fri, 13 Jan 2012 11:28:10 -0800 (PST) (envelope-from obrien)
Date: Fri, 13 Jan 2012 11:28:10 -0800
From: "David O'Brien" <obrien@freebsd.org>
To: Chris Rees <crees@freebsd.org>
Message-ID: <20120113192810.GA87287@dragon.NUXI.org>
References: <20120112234424.GA41056@dragon.NUXI.org>
	<CADLo838ygJPVCdkai-Ui6eRKt4cZ3tX9Xj67KxmRKc10tLcDag@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=unknown-8bit
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CADLo838ygJPVCdkai-Ui6eRKt4cZ3tX9Xj67KxmRKc10tLcDag@mail.gmail.com>
X-Operating-System: FreeBSD 9.99-CURRENT
X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN?
User-Agent: Mutt/1.5.20 (2009-06-14)
Cc: freebsd-rc@freebsd.org
Subject: Re: Problem with LOGIN and cron
X-BeenThere: freebsd-rc@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: obrien@freebsd.org
List-Id: "Discussion related to /etc/rc.d design and implementation."
	<freebsd-rc.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-rc>,
	<mailto:freebsd-rc-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-rc>
List-Post: <mailto:freebsd-rc@freebsd.org>
List-Help: <mailto:freebsd-rc-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-rc>,
	<mailto:freebsd-rc-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Jan 2012 19:28:11 -0000

On Fri, Jan 13, 2012 at 07:11:01AM +0000, Chris Rees wrote:
> On 12 January 2012 23:44, David O'Brien <obrien@freebsd.org> wrote:
> > 'LOGIN' states:
> >        This is a dummy dependency to ensure user services such as xdm,
> >        inetd, cron and kerberos are started after everything else, in
> >        case the administrator has increased the system security level
> >        and wants to delay user logins until the system is (almost) fully
> >        operational.
> >
> > So based on that, 'securelevel' should have:
> > +# REQUIRE: sysctl
> > +# BEFORE:  LOGIN
> > Otherwise a cronjob could act against securelevel=1+ for a short peroid
> > of time.
> 
> Hm, but what if I have an @reboot line in crontab, that relies on
> securelevel <1?

Can you give an example?

    $ man cron | grep @reboot
    {empty}
    $ man crontab | grep @reboot
    {empty}


> Can't we change the wording in the docs instead?

We could, but that would sweep what I feel may be a security issue under
the rug.

-- 
-- David  (obrien@FreeBSD.org)