On 28/03/14 06:01 PM, Tom Gundersen wrote: > On Fri, Mar 28, 2014 at 3:01 AM, Gaetan Bisson <bis...@archlinux.org> wrote: >> [2014-03-27 21:01:17 -0400] Daniel Micay: >>> setuid binary (crontab) so it opens up a vulnerability in the base install. >>> >>> Among others (although one requires cron to be enabled): >>> >>> * https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-0424 >>> * https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-6097 >> >> There were bugs that have been fixed a while ago; what's your point? >> >> I support switching to systemd timers in order to streamline our base >> install, as well as regroup daemons and periodic commands configuration >> in just one place. But I do not believe that replacing a small setuid >> binary by a larger one addresses any potential security issue. > > I agree with Gaetan that I don't see the big security concern here. > > However, I'm always in favor of dropping stuff from base whenever the > opportunity arises. Once other base packages no longer ship cron jobs, > I suppose there is no longer a reason to keep cronie in base? What's > your take on that Gaetan (not sure if your comment was against > dropping it, or just against the security concern)? > > Cheers, > > Tom
It's a very minor security concern, but I think it's a valid reason for having people who want it install it explicitly. It's not currently enabled by default, and will have a narrow use case when the existing packaged cron jobs on are. I don't think there will be a use case for a single user system anymore, or even *most* multi-user ones.
signature.asc
Description: OpenPGP digital signature
