On Tue, Dec 23, 2008 at 09:45:54AM -0500, Steve Grubb wrote: > > There are some disadvantages, too. > > 1) it does not support polyinstantiation - needed for MLS Is there something explaining polyinstantiation in the context of a cron scheduler? > 2) It also does not send audit events based on denying a cron job. Right. I'll have a look at what cronie does and contact upstream on that, but I don't expect to be able to do that soon. > 3) Its pam settings do not support the audit system out of the box. > 4) Its default pam settings need alignment with vixie-cron in general. I had a look at the pam crond file, and indeed it looks good while the fcron one is quite bad. I won't be able to change it, though for I don't have a fedora anymore. I think it would be nice to have examples of pam files for fedora for the different types of applications. Last time I had a look there was a complete lack of consistency. > It would appear to not have had security reviews like vixie-cron has. In a few > minutes I found what appears to be a potentially serious security problem. > I've reported it upstream last week and no reply at all. I have not done a > full code review like I would for our cert efforts, so there may be more > problems waiting. In general upstream is rather reactive... It looks like there was some security audit in 2004 since 4 vulnerabilities were discovered. > You have to be careful switching out core pieces of software that performs a > security sensitive role. The lack of attacks on most of Fedora is due to > years of review and feedback on code. Is it a general statement or a statement about the cron scheduler? It seems to me that some part of fedora are very young (though maybe they were audited a lot), like dbus, consolekit, hald, and have system-wide security implications that are certainly as problematic as those of a cron scheduler. In any case I can do some work on those issues, but so far nobody took fcron when I orphaned it. A maintainer in fedora would be a prerequisite for moving that issue along. -- Pat -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
