On Fri, Mar 28, 2014 at 3:01 AM, Gaetan Bisson <bisson@archlinux.org> wrote:
[2014-03-27 21:01:17 -0400] Daniel Micay:
setuid binary (crontab) so it opens up a vulnerability in the base install.
Among others (although one requires cron to be enabled):
* https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-0424 * https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-6097
There were bugs that have been fixed a while ago; what's your point?
I support switching to systemd timers in order to streamline our base install, as well as regroup daemons and periodic commands configuration in just one place. But I do not believe that replacing a small setuid binary by a larger one addresses any potential security issue.
I agree with Gaetan that I don't see the big security concern here. However, I'm always in favor of dropping stuff from base whenever the opportunity arises. Once other base packages no longer ship cron jobs, I suppose there is no longer a reason to keep cronie in base? What's your take on that Gaetan (not sure if your comment was against dropping it, or just against the security concern)? Cheers, Tom