On Wed, Dec 6, 2023 at 1:02 PM Daniel P. Berrangé <berrange@xxxxxxxxxx> wrote:
On Wed, Dec 06, 2023 at 11:53:26AM +0000, Tom Hughes via devel wrote:
> On 06/12/2023 11:08, Ondrej Pohorelsky wrote:
>
> > The only difference is that if you have populated the cron.deny list,
> > after update it gets saved as .rpmsave and cron.allow is created.
> > If the cron.deny is blank, it will get replaced.
> > Also, if you had cron.allow populated before, it will stay this way and
> > blank cron.allow.rpmnew is created.
>
> Surely there is one more change though?
>
> Namely that users who could previously run crontab to create
> cron jobs can no longer do so unless they have been added to
> the cron.allow file.
>
> That seems like a breaking change to me?
Yes, making cron unusable out of the box for non-root users feels like
an pretty major regression in behaviour.
Yes, you are right. Thank you for noticing this. I've focused on the file permissions and completely overlooked this.
I think we can leave cron.deny approach as the Fedora default and change the file permissions to be CIS compliant.
As, the real pain point that customers stated isn't the creation of cron.allow, but file permissions that change after each update.
IMO, this can be a good middle ground.
--
-- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
