I've removed cron.allow from my PR[0] and reverted to cron.deny approach. As this was the only disputed change in these PRs so far, I plan on merging both of them into rawhide at the end of this week. However, if you see any issue with merging this "middle ground" change, feel free to discuss.
[0]https://src.fedoraproject.org/rpms/cronie/pull-request/12 On Sun, Dec 10, 2023 at 3:37 PM Chuck Anderson <c...@fea.st> wrote: > On Wed, Dec 06, 2023 at 12:18:48PM +0000, Daniel P. Berrangé wrote: > > The main effect of the permissions change on these files is that non-root > > users can't see any env variables set against the commands scheduled to > run. > > The actual command lines are still all visible in the proces listing when > > the command runs. > > I think this part alone is worthwhile in a general distro like Fedora, > irrespective of any CIS requirements. Env vars can contain secret > data and they are no longer readble by all users in process lists, so > changing permissions on cron files fixes a real potential information > leak. > > Also, it is hard to keep file and directory permissions changed from > how they are packaged. The files will become exposed during package > updates until some other script comes by and fixes them again. So it > is worthwhile to fix this in the packaging. > > I agree that the correct middle ground is to fix the permissions, but > leave the other parts about cron.allow/cron.deny alone. > -- > _______________________________________________ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > -- Ondřej Pohořelský Software Engineer Red Hat <https://www.redhat.com> opoho...@redhat.com <https://www.redhat.com>
-- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
