Re: policy on start-stop-daemon
On Tue, 12 Feb 2002 00:38, Wichert Akkerman wrote:
> > Either start-stop-daemon should not be called from cron, or if it is
> > called from cron then it should be called with a special parameter to
> > indicate that it is being run from cron.
>
> Not allowing start-stop-daemon to be used in cron is broken. In fact
> policy seems to move towards demanding to use /etc/init.d scripts
> everywhere instead of using start-stop-daemon.
>
> > My current SE Linux code requires that the administrator password be
> > entered to start a daemon from any program other than init (which results
> > in cron jobs using start-stop-daemon such as those from man-db aborting
> > because there is no terminal device).
>
> How exactly is cron different here then starting daemons at system boot
> or restarting them during an upgrade? At all options there might be
> nobody present to enter passwords.
The process /sbin/init is run in the init_t security domain. When it runs an
initrc_exec_t type program the domain is automatically changed to initrc_t
(which is the correct domain for starting daemons).
To enter the initrc_t domain otherwise requires the administrator's password.
Cron jobs should not be run in the initrc_t domain and therefore there should
be some conveniant way of determining when it's called from cron to avoid
asking for the password or wanting to change security domain.
--
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/projects.html Projects I am working on
http://www.coker.com.au/~russell/ My home page
Reply to: