[Bug 1150559] New: AUDIT-1: yum: review of cron job file(s): /etc/cron.daily/0yum.cron
http://bugzilla.suse.com/show_bug.cgi?id=1150559 Bug ID: 1150559 Summary: AUDIT-1: yum: review of cron job file(s): /etc/cron.daily/0yum.cron Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: matthias.gerstner@suse.com QA Contact: qa-bugs@suse.de CC: jsegitz@suse.com, malte.kraus@suse.com, matthias.gerstner@suse.com, tchvatal@suse.com Blocks: 1150175 Found By: --- Blocker: --- +++ This bug was initially created as a clone of Bug #1150175 As discussed in the proactive security team we want to restrict the installation of cron job files in the future. To achieve this we first need to cover the currently existing packages that do this. yum installs a cron file in /etc/cron.daily/0yum.cron. It should be reviewed and whitelisted if all is well. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1150559 http://bugzilla.suse.com/show_bug.cgi?id=1150559#c1 --- Comment #1 from Tomáš Chvátal <tchvatal@suse.com> --- Does it make sense since we hard required migration to timer systemd services? Looking on the cron script it seems pretty useless and could be removed from this package. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1150559 http://bugzilla.suse.com/show_bug.cgi?id=1150559#c2 --- Comment #2 from Matthias Gerstner <matthias.gerstner@suse.com> --- (In reply to tchvatal@suse.com from comment #1)
Does it make sense since we hard required migration to timer systemd services?
Looking on the cron script it seems pretty useless and could be removed from this package.
When you want to remove it we're happy. No cron job is always more secure than anything else. We should still keep the bug open to have a quick look at it in case older releases are affected by anything. It will take a while until we cover all reviews since there's a larger number of packages we'll need to look into. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1150559 Matthias Gerstner <matthias.gerstner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |IN_PROGRESS Assignee|security-team@suse.de |matthias.gerstner@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1150559 http://bugzilla.suse.com/show_bug.cgi?id=1150559#c3 --- Comment #3 from Tomáš Chvátal <tchvatal@suse.com> --- Just fyi I checked how we use yum. We have it as a dep for createrepo, which should be replaced by createrepo_c. As such it might make sense to just remove createrepo and yum completely from the distribution and be done with it. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1150559 http://bugzilla.suse.com/show_bug.cgi?id=1150559#c4 --- Comment #4 from Matthias Gerstner <matthias.gerstner@suse.com> --- It looks like the cron job doesn't work on any of our maintained codestreams of yum. These are the first lines of the script: ``` if [ ! -f /var/lock/subsys/yum-cron ]; then exit 0 fi ``` I couldn't even find on SLE-12-SP4 any trace of this init script that creates this file. Maybe I'm missing something else but as far as I can see there's no canonical way to enable the cron job in the first place. If this is the case and since you want to remove yum and/or the cron job anyways I can skip an in-depth review of the cron job's security. I'd like to ask you so simply remove the cron job from the packaging in openSUSE:Factory, or remove yum from openSUSE:Factory whatever is quicker for you. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1150559 http://bugzilla.suse.com/show_bug.cgi?id=1150559#c5 Matthias Gerstner <matthias.gerstner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|IN_PROGRESS |RESOLVED Resolution|--- |FIXED --- Comment #5 from Matthias Gerstner <matthias.gerstner@suse.com> --- Yum seems to have been removed from Factory. Threrefore no whitelisting will become necessary. Old codestreams are disfunctional cron job wise. So nothing to worry about. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1150559 http://bugzilla.suse.com/show_bug.cgi?id=1150559#c1 --- Comment #1 from Tomáš Chvátal <tchvatal@suse.com> --- Does it make sense since we hard required migration to timer systemd services? Looking on the cron script it seems pretty useless and could be removed from this package. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1150559 http://bugzilla.suse.com/show_bug.cgi?id=1150559#c2 --- Comment #2 from Matthias Gerstner <matthias.gerstner@suse.com> --- (In reply to tchvatal@suse.com from comment #1)
Does it make sense since we hard required migration to timer systemd services?
Looking on the cron script it seems pretty useless and could be removed from this package.
When you want to remove it we're happy. No cron job is always more secure than anything else. We should still keep the bug open to have a quick look at it in case older releases are affected by anything. It will take a while until we cover all reviews since there's a larger number of packages we'll need to look into. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1150559 Matthias Gerstner <matthias.gerstner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |IN_PROGRESS Assignee|security-team@suse.de |matthias.gerstner@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1150559 http://bugzilla.suse.com/show_bug.cgi?id=1150559#c3 --- Comment #3 from Tomáš Chvátal <tchvatal@suse.com> --- Just fyi I checked how we use yum. We have it as a dep for createrepo, which should be replaced by createrepo_c. As such it might make sense to just remove createrepo and yum completely from the distribution and be done with it. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1150559 http://bugzilla.suse.com/show_bug.cgi?id=1150559#c4 --- Comment #4 from Matthias Gerstner <matthias.gerstner@suse.com> --- It looks like the cron job doesn't work on any of our maintained codestreams of yum. These are the first lines of the script: ``` if [ ! -f /var/lock/subsys/yum-cron ]; then exit 0 fi ``` I couldn't even find on SLE-12-SP4 any trace of this init script that creates this file. Maybe I'm missing something else but as far as I can see there's no canonical way to enable the cron job in the first place. If this is the case and since you want to remove yum and/or the cron job anyways I can skip an in-depth review of the cron job's security. I'd like to ask you so simply remove the cron job from the packaging in openSUSE:Factory, or remove yum from openSUSE:Factory whatever is quicker for you. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1150559 http://bugzilla.suse.com/show_bug.cgi?id=1150559#c5 Matthias Gerstner <matthias.gerstner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|IN_PROGRESS |RESOLVED Resolution|--- |FIXED --- Comment #5 from Matthias Gerstner <matthias.gerstner@suse.com> --- Yum seems to have been removed from Factory. Threrefore no whitelisting will become necessary. Old codestreams are disfunctional cron job wise. So nothing to worry about. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com