[arch-dev-public] Use systemd timers instead of /etc/cron.{hourly, daily, weekly, monthly}?
Tom Gundersen
teg at jklm.no
Fri Mar 28 18:01:22 EDT 2014
On Fri, Mar 28, 2014 at 3:01 AM, Gaetan Bisson <bisson at archlinux.org> wrote:
> [2014-03-27 21:01:17 -0400] Daniel Micay:
>> setuid binary (crontab) so it opens up a vulnerability in the base install.
>>
>> Among others (although one requires cron to be enabled):
>>
>> * https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-0424
>> * https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-6097
>
> There were bugs that have been fixed a while ago; what's your point?
>
> I support switching to systemd timers in order to streamline our base
> install, as well as regroup daemons and periodic commands configuration
> in just one place. But I do not believe that replacing a small setuid
> binary by a larger one addresses any potential security issue.
I agree with Gaetan that I don't see the big security concern here.
However, I'm always in favor of dropping stuff from base whenever the
opportunity arises. Once other base packages no longer ship cron jobs,
I suppose there is no longer a reason to keep cronie in base? What's
your take on that Gaetan (not sure if your comment was against
dropping it, or just against the security concern)?
Cheers,
Tom
More information about the arch-dev-public
mailing list