From owner-freebsd-bugs Fri Jun 15 16: 0: 7 2001 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id E38CF37B406 for ; Fri, 15 Jun 2001 16:00:02 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.3/8.11.3) id f5FN02r68183; Fri, 15 Jun 2001 16:00:02 -0700 (PDT) (envelope-from gnats) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id C910537B40D for ; Fri, 15 Jun 2001 15:57:46 -0700 (PDT) (envelope-from nobody@FreeBSD.org) Received: (from nobody@localhost) by freefall.freebsd.org (8.11.3/8.11.3) id f5FMvkC67939; Fri, 15 Jun 2001 15:57:46 -0700 (PDT) (envelope-from nobody) Message-Id: <200106152257.f5FMvkC67939@freefall.freebsd.org> Date: Fri, 15 Jun 2001 15:57:46 -0700 (PDT) From: Brad Huntting To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-1.0 Subject: misc/28188: Cron is being started to early in /etc/rc (potential security hole) Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 28188 >Category: misc >Synopsis: Cron is being started to early in /etc/rc (potential security hole) >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Jun 15 16:00:02 PDT 2001 >Closed-Date: >Last-Modified: >Originator: Brad Huntting >Release: 4.3 >Organization: Univ of Colorado Boulder >Environment: FreeBSD hunkular.glarp.com 4.3-STABLE FreeBSD 4.3-STABLE #0: Mon May 14 18:39:38 MDT 2001 root@hunkular.glarp.com:/usr/src/sys/compile/HUNKULAR i386 >Description: Cron allows users to run jobs at boot time by specifying "@reboot". While this is a very usefull feature, it is also a potential security hole if these jobs are started before the kern.securelevel level is raised. >How-To-Repeat: Put these in /etc/rc.conf kern_securelevel_enable="YES" kern_securelevel="0" And put this in your (non-root) crontab file: @reboot /sbin/sysctl kern.securelevel And reboot. You should get a mail message indicating that your cron job was run with kern.securelevel=-1. Not something ordinary users should really be doing. >Fix: in /etc/rc, start cron _after_ kern.securelevel is set: --- /etc/rc.orig Fri Jun 15 16:42:02 2001 +++ /etc/rc Fri Jun 15 16:42:06 2001 @@ -483,14 +483,6 @@ ;; esac -case ${cron_enable} in -[Nn][Oo]) - ;; -*) - echo -n ' cron'; ${cron_program:-/usr/sbin/cron} ${cron_flags} - ;; -esac - case ${lpd_enable} in [Yy][Ee][Ss]) echo -n ' printer'; ${lpd_program:-/usr/sbin/lpd} ${lpd_flags} @@ -691,6 +683,14 @@ echo 'Raising kernel security level: ' sysctl -w kern.securelevel=${kern_securelevel} fi + ;; +esac + +case ${cron_enable} in +[Nn][Oo]) + ;; +*) + echo 'Starting cron'; ${cron_program:-/usr/sbin/cron} ${cron_flags} ;; esac (forgive me, but the tabs->spaces thing will probably corrupt this patch, but you get the idea). thanx, brad >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message