Ondrej Pohorelsky <opohorel@xxxxxxxxxx> writes:
> I've removed cron.allow from my PR[0] and reverted to cron.deny approach.
> As this was the only disputed change in these PRs so far, I plan on merging
> both of them into rawhide at the end of this week.
> However, if you see any issue with merging this "middle ground" change,
> feel free to discuss.
>
```
- %attr(4755,root,root) %{_bindir}/crontab
+ %attr(600,root,root) %{_bindir}/crontab
```
From
https://docs.fedoraproject.org/en-US/fedora/latest/system-administrators-guide/monitoring-and-automation/Automating_System_Tasks/
"""
To create a crontab as a specific user, login as that user and type the
command crontab -e to edit the user’s crontab with the editor specified
in the VISUAL or EDITOR environment variable.
"""
If you want to change this you should push the change via Fedora
Change process so it's clearly announced and documented.
> [0]https://src.fedoraproject.org/rpms/cronie/pull-request/12
>
> On Sun, Dec 10, 2023 at 3:37 PM Chuck Anderson <cra@xxxxxx> wrote:
>
>> On Wed, Dec 06, 2023 at 12:18:48PM +0000, Daniel P. Berrangé wrote:
>> > The main effect of the permissions change on these files is that non-root
>> > users can't see any env variables set against the commands scheduled to
>> run.
>> > The actual command lines are still all visible in the proces listing when
>> > the command runs.
>>
>> I think this part alone is worthwhile in a general distro like Fedora,
>> irrespective of any CIS requirements. Env vars can contain secret
>> data and they are no longer readble by all users in process lists, so
>> changing permissions on cron files fixes a real potential information
>> leak.
>>
>> Also, it is hard to keep file and directory permissions changed from
>> how they are packaged. The files will become exposed during package
>> updates until some other script comes by and fixes them again. So it
>> is worthwhile to fix this in the packaging.
>>
>> I agree that the correct middle ground is to fix the permissions, but
>> leave the other parts about cron.allow/cron.deny alone.
>> --
>> _______________________________________________
>> devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
>> To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
>> Fedora Code of Conduct:
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>> https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
>> Do not reply to spam, report it:
>> https://pagure.io/fedora-infrastructure/new_issue
>>
>
>
> --
>
> Ondřej Pohořelský
>
> Software Engineer
>
> Red Hat <https://www.redhat.com>
>
> opohorel@xxxxxxxxxx
> <https://www.redhat.com>
> --
> _______________________________________________
> devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
> Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
--
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
