[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: use fcron as default scheduler in Fedora?

On Tue, Dec 23, 2008 at 09:45:54AM -0500, Steve Grubb wrote:
> There are some disadvantages, too.
> 1) it does not support polyinstantiation - needed for MLS

Is there something explaining polyinstantiation in the context of 
a cron scheduler?

> 2) It also does not send audit events based on denying a cron job. 

Right. I'll have a look at what cronie does and contact upstream on 
that, but I don't expect to be able to do that soon.

> 3) Its pam settings do not support the audit system out of the box. 
> 4) Its default pam settings need alignment with vixie-cron in general.

I had a look at the pam crond file, and indeed it looks good
while the fcron one is quite bad. I won't be able to change it, 
though for I don't have a fedora anymore.

I think it would be nice to have examples of pam files for fedora
for the different types of applications. Last time I had a look
there was a complete lack of consistency.

> It would appear to not have had security reviews like vixie-cron has. In a few 
> minutes I found what appears to be a potentially serious security problem. 
> I've reported it upstream last week and no reply at all. I have not done a 
> full code review like I would for our cert efforts, so there may be more 
> problems waiting.

In general upstream is rather reactive...

It looks like there was some security audit in 2004 since 4 vulnerabilities
were discovered.
> You have to be careful switching out core pieces of software that performs a 
> security sensitive role. The lack of attacks on most of Fedora is due to 
> years of review and feedback on code.

Is it a general statement or a statement about the cron scheduler?
It seems to me that some part of fedora are very young (though maybe 
they were audited a lot), like dbus, consolekit, hald, and have system-wide
security implications that are certainly as problematic as those of 
a cron scheduler.

In any case I can do some work on those issues, but so far nobody 
took fcron when I orphaned it. A maintainer in fedora would be a 
prerequisite for moving that issue along.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]