Current version
Git/Latestdiff: 1.5.6
Latest Snapshots
Produced after each commit or rebase to new upstream version
GIT
RSBAC source code, can be unstable sometimes
No events planned
This is an old revision of the document!
This is the modified cron init-script
diff -u cron_org cron --- cron_org 2008-07-03 04:10:46.000000000 +0200 +++ cron 2008-07-03 04:12:02.000000000 +0200 @@ -23,7 +23,7 @@ case "$1" in start) log_daemon_msg "Starting periodic command scheduler" "crond" - start-stop-daemon --start --quiet --pidfile /var/run/crond.pid --name cron --startas /usr/sbin/cron -- $LSBNAMES + run-jail cron start-stop-daemon --start --quiet --pidfile /var/run/crond.pid --name cron --startas /usr/sbin/cron -- $LSBNAMES log_end_msg $? ;; stop) log_daemon_msg "Stopping periodic command scheduler" "crond" @@ -32,7 +32,7 @@ ;; restart) log_daemon_msg "Restarting periodic command scheduler" "crond" start-stop-daemon --stop --retry 5 --quiet --pidfile /var/run/crond.pid --name cron - start-stop-daemon --start --quiet --pidfile /var/run/crond.pid --name cron --startas /usr/sbin/cron -- $LSBNAMES + run-jail cron start-stop-daemon --start --quiet --pidfile /var/run/crond.pid --name cron --startas /usr/sbin/cron -- $LSBNAMES log_end_msg $? ;; reload|force-reload) log_daemon_msg "Reloading configuration files for periodic command scheduler" "crond"
<6>0000001181|rsbac_adf_request(): request GET_STATUS_DATA, pid 4479, ppid 4473, prog_name df, prog_file /bin/df, uid 0, remote ip 192.168.1.5, target_type DEV, tid block 08:01, attr none, value none, result NOT_GRANTED by JAIL
Firstly what to do is, add the jail_flag 'allow-ipc-syslog'
(allow-ipc-syslog) () () ()
All services which send data to the syslog need this, if the syslogd is jailed too.
I stop the service /etc/init.d/cron stop and then I start the service and look on the other terminal.
/etc/init.d/cron start Starting periodic command scheduler: crond This is execute now: rsbac_jail -y start-stop-daemon --start --quiet --pidfile /var/run/crond.pid --name cron --startas /usr/sbin/cron --
<6>0000001237|rsbac_adf_request(): request WRITE_OPEN, pid 4631, ppid 1, prog_name cron, prog_file /usr/sbin/cron, uid 0, remote ip 192.168.1.5, target_type DEV, tid char 01:03, attr open_flag, value 32834, result NOT_GRANTED by JAIL
search for target_type and request
target_type DEV :: request WRITE_OPEN
The target_type DEV is a jail_flag and on jail_flags you see.
"allow-dev-write": "-D" (this is most close to it)
The rsbac_jail say:
\- wiki display error -D = allow write access on devices
So i add this to the cron-jailfile
(allow-ipc-syslog allow-dev-write) () () ()
And again stop and start the crond.
/etc/init.d/cron start Starting periodic command scheduler: crond This is execute now: rsbac_jail -y -D start-stop-daemon --start --quiet --pidfile /var/run/crond.pid --name cron --startas /usr/sbin/cron -- .
On the other terminal i see:
<6>0000001239|rsbac_adf_request(): request READ_OPEN, pid 4653, ppid 1, prog_name cron, prog_file /usr/sbin/cron, uid 0, remote ip 192.168.1.5, target_type DEV, tid char 01:03, attr open_flag, value 32769, result NOT_GRANTED by JAIL
Again search for target_type and request
target_type DEV :: request READ_OPEN
Now i add this
"allow-dev-read": "-d"
The rsbac_jail say:
\- wiki display error -d = allow read access on devices
So add this to the cron-jailfile
(allow-ipc-syslog allow-dev-write allow-dev-read) () () ()
So again the same game, stop and start the crond
/etc/init.d/cron start Starting periodic command scheduler: crond This is execute now: rsbac_jail -y -D -d start-stop-daemon --start --quiet --pidfile /var/run/crond.pid --name cron --startas /usr/sbin/cron --
And nothing appears on the security-users terminal. So far ok.
But a cronjob will comming son, with access to thinks wich are not setup in the moment.
For this a speed up the clock (only virtual ) to next cronjobs