[2014-03-27 22:59:36 -0400] Daniel Micay: > On 27/03/14 10:01 PM, Gaetan Bisson wrote: > > [2014-03-27 21:01:17 -0400] Daniel Micay: > >> setuid binary (crontab) so it opens up a vulnerability in the base install. > >> > >> Among others (although one requires cron to be enabled): > >> > >> * https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-0424 > >> * https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-6097 > > > > There were bugs that have been fixed a while ago; what's your point? > > My point was only that the security risk is not theoretical.
Of course it isn't: we all know every piece of software has bugs, which is a potential security issue when run as root. Now the above cronie bugs were fixed long ago. Do you have any evidence suggesting systemd should be less bug-prone than cronie? > AFAIK avoiding setuid binaries is one of the reasons for tools > like hostnamectl using a client-server model. Forgive me if I'm not convinced a user client giving commands to a root daemon is much better than a setuid binary implementing said commands. -- Gaetan
pgpp97IcG67tu.pgp
Description: PGP signature