This is the modified cron init-script diff -u cron_org cron --- cron_org 2008-07-03 04:10:46.000000000 +0200 +++ cron 2008-07-03 04:12:02.000000000 +0200 @@ -23,7 +23,7 @@ case "$1" in start) log_daemon_msg "Starting periodic command scheduler" "crond" - start-stop-daemon --start --quiet --pidfile /var/run/crond.pid --name cron --startas /usr/sbin/cron -- $LSBNAMES + run-jail cron start-stop-daemon --start --quiet --pidfile /var/run/crond.pid --name cron --startas /usr/sbin/cron -- $LSBNAMES log_end_msg $? ;; stop) log_daemon_msg "Stopping periodic command scheduler" "crond" @@ -32,7 +32,7 @@ ;; restart) log_daemon_msg "Restarting periodic command scheduler" "crond" start-stop-daemon --stop --retry 5 --quiet --pidfile /var/run/crond.pid --name cron - start-stop-daemon --start --quiet --pidfile /var/run/crond.pid --name cron --startas /usr/sbin/cron -- $LSBNAMES + run-jail cron start-stop-daemon --start --quiet --pidfile /var/run/crond.pid --name cron --startas /usr/sbin/cron -- $LSBNAMES log_end_msg $? ;; reload|force-reload) log_daemon_msg "Reloading configuration files for periodic command scheduler" "crond" Firstly what to do is, add the jail_flag **'allow-ipc-syslog'** (allow-ipc-syslog) () () () All services which send data to the syslog need this, if the syslogd is jailed too. I stop the service /etc/init.d/cron stop and then I start the service and look on the other terminal. /etc/init.d/cron start Starting periodic command scheduler: crond This is execute now: rsbac_jail -y start-stop-daemon --start --quiet --pidfile /var/run/crond.pid --name cron --startas /usr/sbin/cron -- <6>0000001237|rsbac_adf_request(): request WRITE_OPEN, pid 4631, ppid 1, prog_name cron, prog_file /usr/sbin/cron, uid 0, remote ip 192.168.1.5, target_type DEV, tid char 01:03, attr open_flag, value 32834, result NOT_GRANTED by JAIL search for target_type and request target_type DEV :: request WRITE_OPEN The target_type DEV is a jail_flag and on [[wiki:experiences/igraltist/jail_flags|jail_flags]] you see. "allow-dev-write": "-D" (this is most close to it) The rsbac_jail say: \- wiki display error -D = allow write access on devices So i add this to the cron-jailfile (allow-ipc-syslog allow-dev-write) () () () And again stop and start the crond. /etc/init.d/cron start Starting periodic command scheduler: crond This is execute now: rsbac_jail -y -D start-stop-daemon --start --quiet --pidfile /var/run/crond.pid --name cron --startas /usr/sbin/cron -- . On the other terminal i see: <6>0000001239|rsbac_adf_request(): request READ_OPEN, pid 4653, ppid 1, prog_name cron, prog_file /usr/sbin/cron, uid 0, remote ip 192.168.1.5, target_type DEV, tid char 01:03, attr open_flag, value 32769, result NOT_GRANTED by JAIL Again search for target_type and request target_type DEV :: request READ_OPEN Now i add this "allow-dev-read": "-d" The rsbac_jail say: \- wiki display error -d = allow read access on devices So add this to the cron-jailfile (allow-ipc-syslog allow-dev-write allow-dev-read) () () () So again the same game, stop and start the crond /etc/init.d/cron start Starting periodic command scheduler: crond This is execute now: rsbac_jail -y -D -d start-stop-daemon --start --quiet --pidfile /var/run/crond.pid --name cron --startas /usr/sbin/cron -- And nothing appears on the security-users terminal. So far ok. **B**ut a cronjob will comming son, with access to thinks wich are not setup in the moment. For this a speed up the clock (only virtual :-)) to next cronjobs ===== Now it is 6:25 am and standard cronjobs is starting and on the terminal i see this. <6>0000001241|rsbac_adf_request(): request MODIFY_SYSTEM_DATA, pid 4732, ppid 4716, prog_name cron, prog_file /usr/sbin/cron, uid 0, remote ip 192.168.1.5, target_type SCD, tid rlimit, attr none, value none, result NOT_GRANTED by JAIL always the same, search for target_type target_type SCD :: request MODIFY_SYSTEM_DATA :: tid rlimit the target_type change to SCD so now I have to use this [[wiki:experiences/igraltist/jail_flags|scd_flags]]. The request says it need MODIFY_SYSTEM_DATA this means the categorie four () and rlimit is need. The MODIFY_SYSTEM_DATA and GET_SYSTEM_DATA have the same scd_flags only the categories are different. If GET_SYSTEM_DATA is requested then rsbac_jail -G is need otherwise -M for MODIFY. I add now to cron in categorie four rlimit (allow-ipc-syslog allow-dev-write allow-dev-read) () () (rlimit) <6>0000001269|rsbac_adf_request(): request GET_STATUS_DATA, pid 4813, ppid 4807, prog_name df, prog_file /bin/df, uid 0, remote ip 192.168.1.5, target_type DEV, tid block 08:01, attr none, value none, result NOT_GRANTED by JAIL search for target_type, target_type DEV :: request GET_STATUS_DATA (tid not important in this case) rsbac_jail says, \- stupid wiki -e = allow GET_STATUS_DATA on devices, this is a jail_flag, so in the first categorie i add 'allow-dev-get-status' (allow-ipc-syslog allow-dev-write allow-dev-read allow-dev-get-status) () () (rlimit) <6>0000001300|rsbac_adf_request(): request SEND_SIGNAL, pid 4831, ppid 4830, prog_name syslogd, prog_file /sbin/syslogd, uid 0, remote ip 192.168.1.5, target_type PROCESS, tid 4384, attr none, value none, result NOT_GRANTED by JAIL Is never allow in the jail <7>0000001301|rsbac_adf_request_jail(): process jail 57 does not match IPC object jail 56 -> NOT_GRANTED! <6>0000001302|rsbac_adf_request(): request WRITE, pid 4831, ppid 4830, prog_name syslogd, prog_file /sbin/syslogd, uid 0, remote ip 192.168.1.5, target_type IPC, tid AnonPipe-ID 10243, attr none, value none, result NOT_GRANTED by JAIL This have again a jail_flag, and here is the 'allow-external-ipc' needed (allow-ipc-syslog allow-dev-write allow-dev-read allow-dev-get-status allow-external-ipc) () () (rlimit) Now i restart the cron. /etc/init.d/cron restart Restarting periodic command scheduler: crond This is execute now: rsbac_jail -y -D -d -e -i -M rlimit start-stop-daemon --start --quiet --pidfile /var/run/crond.pid --name cron --startas /usr/sbin/cron --