Am Mi., 6. Dez. 2023 um 11:17 Uhr schrieb Ondrej Pohorelsky <opohorel@xxxxxxxxxx>:
The driving force of this change is feedback from RHEL customers, that they would like to have cronie and crontabs CIS compliant out of the box. Which means changing some of the file permissions and swapping `cron.deny` for `cron.allow`. As it stands now, they have to run their own scripts or dnf plugin (post-transaction-actions) to ensure that each update doesn't overwrite the file permissions they manually set.Hi everyone,For F40 I would like to change file permissions of few files that are provided by cronie and crontabs and swap deny list for allow list. I'm not really sure if I should make a change proposal. I figured I'll send an email first and see the feedback.I would like these changes for F40, as this is going to be a branching point for next RHEL and I would like to go with upstream first approach.cronie changes:
`cron.allow` replaces `cron.deny` (file permission 600)`cron.d` permission change (755 → 700)`cron.hourly` permission change (755 → 700)crontabs changes:`crontab` permission change (644 → 600)`cron.{hourly,daily,weekly,monthly}` permission change (755 → 700)Reference for these changes:
static.open-scap.org/ssg-guides/ssg-rhel9-guide-cis.htmlPR:
https://src.fedoraproject.org/rpms/cronie/pull-request/12
https://src.fedoraproject.org/rpms/crontabs/pull-request/6Let me know what you think.Cheers,--
Hi there,
what is the impact of these changes:
- Do default installs work the same way as before?
- Do existing setups (crontabs) keep working?
If yes then I'd consider the permission changes to be fixes, or at least standard packaging changes.
What is is the policy for existing cron.allow/cron.deny, i.e. what would `rpmconf -a` tell me?
Cheers
Michael
-- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue