Re: move cron socket to /var/run/cron.sock (pledge)
Theo de Raadt writes: >> Grmbl. I've hard a hard time trying to understand *why* this would be >> needed. The answer is pledge(2), who makes chmod(2) fail with EPERM >> instead of killing the process. >> >> I find this confusing. IMO pledge(2) should let the kernel do the >> appropriate security checks for chown(2). > > Cannot. pledge handles *chown() at a realistic level. > > Otherwise, we'd need pledge checks in every function reachable > by VOP_SETATTR. I'm not sure I understand the reasons, but I'll trust you on that one. Still I find this change in behavior confusing, and I hope it won't bite us in the end. I'd prefer cron not to change its gid for a weird reason, or maybe change it only around the socket chmod call, with a comment explaining why this is necessary. Otherwise, millert's diff looks good, works fine and is a very desirable improvement IMO. ok jca@ but please consider the paragraph above. -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
Re: move cron socket to /var/run/cron.sock (pledge)
> Grmbl. I've hard a hard time trying to understand *why* this would be > needed. The answer is pledge(2), who makes chmod(2) fail with EPERM > instead of killing the process. > > I find this confusing. IMO pledge(2) should let the kernel do the > appropriate security checks for chown(2). Cannot. pledge handles *chown() at a realistic level. Otherwise, we'd need pledge checks in every function reachable by VOP_SETATTR.
Re: move cron socket to /var/run/cron.sock (pledge)
"Todd C. Miller" writes: > On Wed, 11 Nov 2015 23:30:48 +0100, > =?utf-8?Q?J=C3=A9r=C3=A9mie_Courr=C3=A8ges- > Anglas?= wrote: > >> "Todd C. Miller" writes: >> >> > On Wed, 11 Nov 2015 14:43:47 -0700, "Todd C. Miller" wrote: >> > >> >> There's limited backward compatibility so you can run a new crontab >> >> with an older cron daemon. >> > >> > Revised diff, I neglected to send out the cron.c changes in the >> > first one. >> >> The socket doesn't inherit the crontab group from its parent directory >> anymore. > > I was wondering if anyone would notice that. I fixed that after I > had already sent the updated diff. This versions sets cron's egid > to crontab so it can chmod the socket. Grmbl. I've hard a hard time trying to understand *why* this would be needed. The answer is pledge(2), who makes chmod(2) fail with EPERM instead of killing the process. I find this confusing. IMO pledge(2) should let the kernel do the appropriate security checks for chown(2). -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE