Bugzilla – Bug 1150552
AUDIT-1: patch2mail: review of cron job file(s): /etc/cron.daily/patch2mail
Last modified: 2020-01-29 13:19:39 UTC
+++ This bug was initially created as a clone of Bug #1150175
As discussed in the proactive security team we want to restrict the
installation of cron job files in the future. To achieve this we first need to
cover the currently existing packages that do this.
patch2mail installs a cron file in /etc/cron.daily/patch2mail. It should be
reviewed and whitelisted if all is well.
The cron job is rather simple and only calls zypper to get information about
pending updates and patches. The information is processed and mailed to root.
I couldn't find any security problems with it.
For hardening it could make sense to run this cron job as an unprivileged user
which should work just as well, because read-only information from zypper is
available to all users. The `setpriv` program can be used for this.
We'll skip the hardening from bug 1158538, because it has turned out to be too
complicated. The whitelisting for patch2mail in its current form is already in
place. Therefore closing this bug as FIXED.