Bug 1150552 - AUDIT-1: patch2mail: review of cron job file(s): /etc/cron.daily/patch2mail
AUDIT-1: patch2mail: review of cron job file(s): /etc/cron.daily/patch2mail
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Security
Other Other
: P5 - None : Normal (vote)
: ---
Assigned To: Security Team bot
E-mail List
Depends on: 1158538
Blocks: 1150175
  Show dependency treegraph
Reported: 2019-09-12 12:02 UTC by Matthias Gerstner
Modified: 2020-01-29 13:19 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Gerstner 2019-09-12 12:02:47 UTC
+++ This bug was initially created as a clone of Bug #1150175
As discussed in the proactive security team we want to restrict the
installation of cron job files in the future. To achieve this we first need to
cover the currently existing packages that do this.

patch2mail installs a cron file in /etc/cron.daily/patch2mail. It should be
reviewed and whitelisted if all is well.
Comment 1 Matthias Gerstner 2019-11-12 11:36:33 UTC
The cron job is rather simple and only calls zypper to get information about
pending updates and patches. The information is processed and mailed to root.
I couldn't find any security problems with it.

For hardening it could make sense to run this cron job as an unprivileged user
which should work just as well, because read-only information from zypper is
available to all users. The `setpriv` program can be used for this.
Comment 2 Matthias Gerstner 2020-01-29 13:19:39 UTC
We'll skip the hardening from bug 1158538, because it has turned out to be too
complicated. The whitelisting for patch2mail in its current form is already in
place. Therefore closing this bug as FIXED.