On Wed, Dec 6, 2023 at 1:19 PM Daniel P. Berrangé <berra...@redhat.com>
wrote:
> On Wed, Dec 06, 2023 at 11:16:44AM +0100, Ondrej Pohorelsky wrote:
> > Hi everyone,
> >
> > For F40 I would like to change file permissions of few files that are
> > provided by cronie and crontabs and swap deny list for allow list. I'm
> not
> > really sure if I should make a change proposal. I figured I'll send an
> > email first and see the feedback.
> >
> > The driving force of this change is feedback from RHEL customers, that
> they
> > would like to have cronie and crontabs CIS compliant out of the box.
> Which
> > means changing some of the file permissions and swapping `cron.deny` for
> > `cron.allow`. As it stands now, they have to run their own scripts or dnf
> > plugin (post-transaction-actions) to ensure that each update doesn't
> > overwrite the file permissions they manually set.
>
> This CIS compliance problem is not something that is limited to cron. Their
> list of hardening steps covers a wide variety of software. IOW, even if
> cron
> were changed, presuambly such customers will need need their own scripts /
> dnf plugin to fix all the other apps listed in the CIS compliance guide.
>
> IOW, I feel like the real question here is whether the distro *as a whole*,
> not cron, wants/needs to be CIS compliant out of the box, or whether it
> should be explicitly an admin deployment task to enable compliance via a
> plugin / script.
>
>
I'm doing this only in the scope of cronie and crontabs. Basically reacting
on a few customers tickets that would welcome this change,
which I wouldn't like to introduce downstream.
On a distro level, this really doesn't make sense. Especially for Fedora.
For RHEL? Maybe, I don't know. I'm definitely not the right person
to answer this question.
> `cron.d` permission change (755 → 700)
> > `cron.hourly` permission change (755 → 700)
> >
> > *crontabs* changes:
> > `crontab` permission change (644 → 600)
> > `cron.{hourly,daily,weekly,monthly}` permission change (755 → 700)
>
> The main effect of the permissions change on these files is that non-root
> users can't see any env variables set against the commands scheduled to
> run.
> The actual command lines are still all visible in the proces listing when
> the command runs.
>
>
Which I think shouldn't be a problem if we don't use cron.allow default, as
I wrote in my previous mail.
--
Ondřej Pohořelský
Software Engineer
Red Hat <https://www.redhat.com>
opoho...@redhat.com
<https://www.redhat.com>
--
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
