[arch-dev-public] Use systemd timers instead of /etc/cron.{hourly, daily, weekly, monthly}?
Gaetan Bisson
bisson at archlinux.org
Thu Mar 27 23:26:14 EDT 2014
[2014-03-27 22:59:36 -0400] Daniel Micay:
> On 27/03/14 10:01 PM, Gaetan Bisson wrote:
> > [2014-03-27 21:01:17 -0400] Daniel Micay:
> >> setuid binary (crontab) so it opens up a vulnerability in the base install.
> >>
> >> Among others (although one requires cron to be enabled):
> >>
> >> * https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-0424
> >> * https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-6097
> >
> > There were bugs that have been fixed a while ago; what's your point?
>
> My point was only that the security risk is not theoretical.
Of course it isn't: we all know every piece of software has bugs, which
is a potential security issue when run as root. Now the above cronie
bugs were fixed long ago. Do you have any evidence suggesting systemd
should be less bug-prone than cronie?
> AFAIK avoiding setuid binaries is one of the reasons for tools
> like hostnamectl using a client-server model.
Forgive me if I'm not convinced a user client giving commands to a root
daemon is much better than a setuid binary implementing said commands.
--
Gaetan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 230 bytes
Desc: not available
URL: <http://mailman.archlinux.org/pipermail/arch-dev-public/attachments/20140327/76d3ac20/attachment.asc>
More information about the arch-dev-public
mailing list