Cron jobs output are sent to the network by default
Andrew Lutomirski
luto at mit.edu
Wed Oct 29 20:38:26 UTC 2014
On Oct 29, 2014 11:33 AM, "Miloslav Trmač" <mitr at redhat.com> wrote:
>
> ----- Original Message -----
> > I created a new bug [1] that explains that ssmtp is sending all cron
> > jobs output to an external SMTP server. I marked it as a security bug,
> > the security tag was removed and it was recommend to make it public,
> > something I can't do. I will resume the problem here, because there are
> > comments that says that it isn't a security bug, I disagree:
> >
> > 1- Fedora 20 shipped with the feature of not running a SMTP server by
> > default, I was fine with it because I don't need to send emails or
> > receive emails locally using it.
> >
> > 2- an update pulled ssmtp
> >
> > Apr 20 19:06:14 Installed: ssmtp-2.64-11.fc20.x86_64
> > Apr 20 19:06:15 Updated: 1:smartmontools-6.2-5.fc20.x86_64
> >
> > 3- ssmtp is configured by default to send emails to a host named mail
> >
> > 4- If a cron jobs runs the email is sent to mail.[your.domain] without
> > you ever configuring that.
>
> This is certainly not a reasonable default configuration for Fedora.
>
> While I think that it is not a reasonable default configuration for ssmtp
at all, I could be persuaded otherwise; but in that case, it should never
be installed by _anything_ that isn’t an explicit user’s choice (i.e. no
dependencies direct or indirect, no comps group presence, and
ideally/overzealously? an automated test that makes installing ssmtp in a
default product configuration a release blocker).
Given that PackageKit can install things with minimal authentication, this
seems fragile.
Why not change cron's default config instead?
--Andy
> Mirek
> --
> devel mailing list
> devel at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20141029/c0f8dc52/attachment.html>
More information about the devel
mailing list