[arch-dev-public] Use systemd timers instead of /etc/cron.{hourly, daily, weekly, monthly}?

Fri Mar 28 20:52:24 EDT 2014

On 28/03/14 06:01 PM, Tom Gundersen wrote:
> On Fri, Mar 28, 2014 at 3:01 AM, Gaetan Bisson <bisson at archlinux.org> wrote:
>> [2014-03-27 21:01:17 -0400] Daniel Micay:
>>> setuid binary (crontab) so it opens up a vulnerability in the base install.
>>>
>>> Among others (although one requires cron to be enabled):
>>>
>>> * https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-0424
>>> * https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-6097
>>
>> There were bugs that have been fixed a while ago; what's your point?
>>
>> I support switching to systemd timers in order to streamline our base
>> install, as well as regroup daemons and periodic commands configuration
>> in just one place. But I do not believe that replacing a small setuid
>> binary by a larger one addresses any potential security issue.
> 
> I agree with Gaetan that I don't see the big security concern here.
> 
> However, I'm always in favor of dropping stuff from base whenever the
> opportunity arises. Once other base packages no longer ship cron jobs,
> I suppose there is no longer a reason to keep cronie in base? What's
> your take on that Gaetan (not sure if your comment was against
> dropping it, or just against the security concern)?
> 
> Cheers,
> 
> Tom

It's a very minor security concern, but I think it's a valid reason for
having people who want it install it explicitly. It's not currently
enabled by default, and will have a narrow use case when the existing
packaged cron jobs on are. I don't think there will be a use case for a
single user system anymore, or even *most* multi-user ones.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.archlinux.org/pipermail/arch-dev-public/attachments/20140328/dcd3400f/attachment.asc>