Re: move cron socket to /var/run/cron.sock (pledge)

2015-11-12 Thread Jérémie Courrèges-Anglas 
Theo de Raadt  writes:

>> Grmbl.  I've hard a hard time trying to understand *why* this would be
>> needed.  The answer is pledge(2), who makes chmod(2) fail with EPERM
>> instead of killing the process.
>> 
>> I find this confusing.  IMO pledge(2) should let the kernel do the
>> appropriate security checks for chown(2).
>
> Cannot.  pledge handles *chown() at a realistic level.
>
> Otherwise, we'd need pledge checks in every function reachable
> by VOP_SETATTR.

I'm not sure I understand the reasons, but I'll trust you on that one.
Still I find this change in behavior confusing, and I hope it won't bite
us in the end.

I'd prefer cron not to change its gid for a weird reason, or maybe
change it only around the socket chmod call, with a comment explaining
why this is necessary.

Otherwise, millert's diff looks good, works fine and is a very desirable
improvement IMO.  ok jca@ but please consider the paragraph above.

-- 
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE

Re: move cron socket to /var/run/cron.sock (pledge)

2015-11-11 Thread Theo de Raadt 
> Grmbl.  I've hard a hard time trying to understand *why* this would be
> needed.  The answer is pledge(2), who makes chmod(2) fail with EPERM
> instead of killing the process.
> 
> I find this confusing.  IMO pledge(2) should let the kernel do the
> appropriate security checks for chown(2).

Cannot.  pledge handles *chown() at a realistic level.

Otherwise, we'd need pledge checks in every function reachable
by VOP_SETATTR.

Re: move cron socket to /var/run/cron.sock (pledge)

2015-11-11 Thread Jérémie Courrèges-Anglas 
"Todd C. Miller"  writes:

> On Wed, 11 Nov 2015 23:30:48 +0100, 
> =?utf-8?Q?J=C3=A9r=C3=A9mie_Courr=C3=A8ges-
> Anglas?= wrote:
>
>> "Todd C. Miller"  writes:
>> 
>> > On Wed, 11 Nov 2015 14:43:47 -0700, "Todd C. Miller" wrote:
>> >
>> >> There's limited backward compatibility so you can run a new crontab
>> >> with an older cron daemon.
>> >
>> > Revised diff, I neglected to send out the cron.c changes in the
>> > first one.
>> 
>> The socket doesn't inherit the crontab group from its parent directory
>> anymore.
>
> I was wondering if anyone would notice that.  I fixed that after I
> had already sent the updated diff.  This versions sets cron's egid
> to crontab so it can chmod the socket.

Grmbl.  I've hard a hard time trying to understand *why* this would be
needed.  The answer is pledge(2), who makes chmod(2) fail with EPERM
instead of killing the process.

I find this confusing.  IMO pledge(2) should let the kernel do the
appropriate security checks for chown(2).

-- 
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE