We want all long running daemons to have PIE and RELRO flags set. This is a
missing security mechanism. Fixing this generally involves adding -fPIE -DPIE
to the CFLAGS, and -pie -Wl,-z,relro -Wl,-z,now to the LDFLAGS.
Expected results:
PIE and partial RELRO at a minimum.
Tomas Mraz [Thu, 16 Dec 2010 16:06:28 +0000 (17:06 +0100)]
Revert "Cache the security class and bit values and translate the remaining hardcoded values."
Caching cannot be done as the values can change on SELinux policy update.
Colin Dean [Mon, 4 Oct 2010 14:29:12 +0000 (16:29 +0200)]
cronie on cluster
On issue we have is that although we've made our services very
resilient, by employing HA failover, load balancing and round robin DNS,
the one service that's difficult to do anything with is cron, because it
has traditionally been tied to a single machine.
For instance, we have a cluster of 4 Fedora servers which our end users
use as timeshare systems, using round robin DNS, and if one of the
servers is down it doesn't really matter too much. We don't even backup
the servers, relying on NFS home directories and rebuilding from scratch
using kickstart + cfengine if a server fails and can't be restarted.
However, the users have scattered crontab files around the 4 servers, so
that if the particular server a cron job is meant to run on dies, the
job doesn't run any more, and the crontab file may be permanently lost.
What we needed was a facility to allow crontabs in /var/spool/cron on
these 4 servers be NFS mounted from a single directory on our NetApp
filers (so giving us backups and snapshots), with any user able to run
"crontab -e" from any of the servers to manage a single shared crontab,
and for us in the IT Service to be able to set just one of the 4 servers
to run user crontab jobs at any time. However, we needed to keep
/etc/crontab and the files in /etc/cron.d/ specific to each individual
server still, and keep crond running on all 4 servers.
If sendmail isn't installed, syslog is used. This patch should
also solve problem with RPM requirements of sendmail
(and which mail should be installed by default).
Based on: https://bugzilla.redhat.com/show_bug.cgi?id=472710#c42
Michal Seben [Wed, 14 Apr 2010 12:01:42 +0000 (14:01 +0200)]
Option "-" don't log jobs as root
If the uid of the owner is 0 (root), he can put a "-" as first
character of a crontab entry. This will prevent cron from writing
a syslog message about this command getting executed.
Michal Seben [Wed, 14 Apr 2010 11:26:48 +0000 (13:26 +0200)]
Correctly reported PAM errors
cron_conv could be helpfull for debug purposes, when something bad happens
with pam e.g. : expired user password - without cron_conv cronie doesn't
report usefull info in syslog messages (it just write no conversation
function error to messages file),if you want to do quick test of pam
conversation function, you could set PASS_MAX_DAYS and PASS_WARN_AGE in
etc/login.defs , add new user and for this user create cron rule (crontab -e)
When run as "crontab -e", crontab creates a temporary file in /tmp, copies the
contents of an existing crontab to this file, and then calls utime() on the
temporary file name to set its mtime and atime to 0, in order to check after
editing whether or not the file has been modified.
Since the file is created with the user's euid, and because utime is called on
the file as root, an attacker can replace the temporary file after it is
created with a symlink to any file or folder on disk, which will then have its
atime and mtime set to 0. This is certainly not a critical issue, but this
action can be used to deny service in many scenarios. For example, the cron
daemon checks the mtime of the crontab spool folder and its contents to
determine whether or not it needs to update its database of cronjobs, and if
these times are reset to 0, no new cronjobs will be added. Other daemons
relying on accurate timestamps may be similarly affected. Finally, build tools
such as make could be tricked into not re-compiling source, based on an old
timestamp.
Thanks to: Dan Rosenberg
There is need to add -laudit into gcc options because now it's not
found automatically. Based on:
http://fedoraproject.org/wiki/Features/ChangeInImplicitDSOLinking
SATOH Fumiyasu [Tue, 3 Nov 2009 09:41:44 +0000 (10:41 +0100)]
Security: Ignore $TMPDIR if ruid!=euid and/or rgid!=egid A setuid/setgid process with GNU C library does NOT inherit $TMPDIR
from the parent process for security reason, but this behavior is
NOT standard feature.
New option: enable-anacron in configure which can set compilation
with or without anacron part. Also there were changes in manual pages.
Updated ChangeLog.
projects / cronie / log