On Wed, Dec 06, 2023 at 12:18:48PM +0000, Daniel P. Berrangé wrote: > The main effect of the permissions change on these files is that non-root > users can't see any env variables set against the commands scheduled to run. > The actual command lines are still all visible in the proces listing when > the command runs. I think this part alone is worthwhile in a general distro like Fedora, irrespective of any CIS requirements. Env vars can contain secret data and they are no longer readble by all users in process lists, so changing permissions on cron files fixes a real potential information leak. Also, it is hard to keep file and directory permissions changed from how they are packaged. The files will become exposed during package updates until some other script comes by and fixes them again. So it is worthwhile to fix this in the packaging. I agree that the correct middle ground is to fix the permissions, but leave the other parts about cron.allow/cron.deny alone. -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
