Hi guys,
We had a case (logwatch) where running logwatch from within a cronjob failed
because /etc/crontab had "HOME=/root" set [1]. The application used the current
working directory for scanning and failed because the job did not have the
proper privileges. As a result, logwatch died out and didn't function.
I think that we have HOME=/ by default, but HOME=/root for system cronjobs
is not all that uncommon. But policy-wise, what is the best way to handle
this?
We can
- document that /etc/crontab must use HOME=/ and leave any job that needs
HOME=/root for the root users' cronjobs
- allow the necessary privileges for logwatch_t only, or
- grant this to all domains through cron_system_entry
I personally think that the first one (document) is the proper one, but
perhaps one of you have a more profound vision on this?
Wkr,
Sven Vermeulen
[1] https://bugs.gentoo.org/show_bug.cgi?id=392699