use fcron as default scheduler in Fedora?
Patrice Dumas
pertusus at free.fr
Tue Dec 23 15:54:54 UTC 2008
On Tue, Dec 23, 2008 at 09:45:54AM -0500, Steve Grubb wrote:
>
> There are some disadvantages, too.
>
> 1) it does not support polyinstantiation - needed for MLS
Is there something explaining polyinstantiation in the context of
a cron scheduler?
> 2) It also does not send audit events based on denying a cron job.
Right. I'll have a look at what cronie does and contact upstream on
that, but I don't expect to be able to do that soon.
> 3) Its pam settings do not support the audit system out of the box.
> 4) Its default pam settings need alignment with vixie-cron in general.
I had a look at the pam crond file, and indeed it looks good
while the fcron one is quite bad. I won't be able to change it,
though for I don't have a fedora anymore.
I think it would be nice to have examples of pam files for fedora
for the different types of applications. Last time I had a look
there was a complete lack of consistency.
> It would appear to not have had security reviews like vixie-cron has. In a few
> minutes I found what appears to be a potentially serious security problem.
> I've reported it upstream last week and no reply at all. I have not done a
> full code review like I would for our cert efforts, so there may be more
> problems waiting.
In general upstream is rather reactive...
It looks like there was some security audit in 2004 since 4 vulnerabilities
were discovered.
> You have to be careful switching out core pieces of software that performs a
> security sensitive role. The lack of attacks on most of Fedora is due to
> years of review and feedback on code.
Is it a general statement or a statement about the cron scheduler?
It seems to me that some part of fedora are very young (though maybe
they were audited a lot), like dbus, consolekit, hald, and have system-wide
security implications that are certainly as problematic as those of
a cron scheduler.
In any case I can do some work on those issues, but so far nobody
took fcron when I orphaned it. A maintainer in fedora would be a
prerequisite for moving that issue along.
--
Pat
More information about the devel
mailing list