On 28/03/14 06:01 PM, Tom Gundersen wrote:
On Fri, Mar 28, 2014 at 3:01 AM, Gaetan Bisson <bisson@archlinux.org> wrote:
[2014-03-27 21:01:17 -0400] Daniel Micay:
setuid binary (crontab) so it opens up a vulnerability in the base install.
Among others (although one requires cron to be enabled):
* https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-0424 * https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-6097
There were bugs that have been fixed a while ago; what's your point?
I support switching to systemd timers in order to streamline our base install, as well as regroup daemons and periodic commands configuration in just one place. But I do not believe that replacing a small setuid binary by a larger one addresses any potential security issue.
I agree with Gaetan that I don't see the big security concern here.
However, I'm always in favor of dropping stuff from base whenever the opportunity arises. Once other base packages no longer ship cron jobs, I suppose there is no longer a reason to keep cronie in base? What's your take on that Gaetan (not sure if your comment was against dropping it, or just against the security concern)?
Cheers,
Tom
It's a very minor security concern, but I think it's a valid reason for having people who want it install it explicitly. It's not currently enabled by default, and will have a narrow use case when the existing packaged cron jobs on are. I don't think there will be a use case for a single user system anymore, or even *most* multi-user ones.