"Todd C. Miller" <todd.mil...@courtesan.com> writes: > On Wed, 11 Nov 2015 23:30:48 +0100, > =?utf-8?Q?J=C3=A9r=C3=A9mie_Courr=C3=A8ges- > Anglas?= wrote: > >> "Todd C. Miller" <todd.mil...@courtesan.com> writes: >> >> > On Wed, 11 Nov 2015 14:43:47 -0700, "Todd C. Miller" wrote: >> > >> >> There's limited backward compatibility so you can run a new crontab >> >> with an older cron daemon. >> > >> > Revised diff, I neglected to send out the cron.c changes in the >> > first one. >> >> The socket doesn't inherit the crontab group from its parent directory >> anymore. > > I was wondering if anyone would notice that. I fixed that after I > had already sent the updated diff. This versions sets cron's egid > to crontab so it can chmod the socket.
Grmbl. I've hard a hard time trying to understand *why* this would be needed. The answer is pledge(2), who makes chmod(2) fail with EPERM instead of killing the process. I find this confusing. IMO pledge(2) should let the kernel do the appropriate security checks for chown(2). -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE