From owner-freebsd-security  Fri Jun 15 17:38:42 2001
Delivered-To: freebsd-security@freebsd.org
Received: from bazooka.unixfreak.org (bazooka.unixfreak.org [63.198.170.138])
	by hub.freebsd.org (Postfix) with ESMTP
	id EB36337B403; Fri, 15 Jun 2001 17:38:39 -0700 (PDT)
	(envelope-from dima@unixfreak.org)
Received: from hornet.unixfreak.org (hornet [63.198.170.140])
	by bazooka.unixfreak.org (Postfix) with ESMTP
	id 0564A3E28; Fri, 15 Jun 2001 17:38:38 -0700 (PDT)
To: Brad Huntting <huntting@glarp.com>
Cc: freebsd-gnats-submit@FreeBSD.org, security@freebsd.org
Subject: Re: misc/28188: Cron is being started to early in /etc/rc (potential security hole) 
In-Reply-To: <200106152257.f5FMvkC67939@freefall.freebsd.org>; from huntting@glarp.com on "Fri, 15 Jun 2001 15:57:46 -0700 (PDT)"
Date: Fri, 15 Jun 2001 17:38:37 -0700
From: Dima Dorfman <dima@unixfreak.org>
Message-Id: <20010616003838.0564A3E28@bazooka.unixfreak.org>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Brad Huntting <huntting@glarp.com> writes:
> >Description:
> Cron allows users to run jobs at boot time by specifying "@reboot".
> While this is a very usefull feature, it is also a potential security
> hole if these jobs are started before the kern.securelevel level is
> raised.

This is a general problem; cron just makes it easy to take advantage
of.  The problem is that the securelevel is raised as late as
possible; it is the last thing to happen in /etc/rc in -stable, and
second to last in -current (background fsck's are started after it).
The real solution[1] is to move the setting of securelevel up, above
the starting of most of the non-essential daemons (e.g., sshd, cron,
et al).  Anyone from -security care to comment on the feasibility of
this?  Any reason why it isn't already done like this?  OpenBSD sets
it quite early, FWIW.

Thanks,

					Dima Dorfman
					dima@unixfreak.org

[1] Actually, the real solution is to axe the entire concept of
securelevel.  Of course, this won't be done until a suitable
replacement is available (e.g., MAC).

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message