Am Mi., 6. Dez. 2023 um 11:17 Uhr schrieb Ondrej Pohorelsky < opoho...@redhat.com>:
> Hi everyone, > > For F40 I would like to change file permissions of few files that are > provided by cronie and crontabs and swap deny list for allow list. I'm not > really sure if I should make a change proposal. I figured I'll send an > email first and see the feedback. > > The driving force of this change is feedback from RHEL customers, that > they would like to have cronie and crontabs CIS compliant out of the box. > Which means changing some of the file permissions and swapping `cron.deny` > for `cron.allow`. As it stands now, they have to run their own scripts or > dnf plugin (post-transaction-actions) to ensure that each update doesn't > overwrite the file permissions they manually set. > > I would like these changes for F40, as this is going to be a branching > point for next RHEL and I would like to go with upstream first approach. > > *cronie* changes: > `cron.allow` replaces `cron.deny` (file permission 600) > `cron.d` permission change (755 → 700) > `cron.hourly` permission change (755 → 700) > > *crontabs* changes: > `crontab` permission change (644 → 600) > `cron.{hourly,daily,weekly,monthly}` permission change (755 → 700) > > Reference for these changes: > static.open-scap.org/ssg-guides/ssg-rhel9-guide-cis.html > > PR: > https://src.fedoraproject.org/rpms/cronie/pull-request/12 > https://src.fedoraproject.org/rpms/crontabs/pull-request/6 > > Let me know what you think. > Cheers, > -- > Hi there, what is the impact of these changes: - Do default installs work the same way as before? - Do existing setups (crontabs) keep working? If yes then I'd consider the permission changes to be fixes, or at least standard packaging changes. What is is the policy for existing cron.allow/cron.deny, i.e. what would `rpmconf -a` tell me? Cheers Michael
-- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue