Bug#767894: More permission issues
Yuri D'Elia
wavexx at thregr.org
Mon Nov 3 10:59:28 GMT 2014
Package: systemd-cron
Version: 1.3.1+ds1-1
Severity: minor
Generally, crontabs are only visible by the owner.
After #766053 gets fixed, the issue still remains in the sense that the
generated units/timers (coming from crontabs) have root:root 644 permissions,
which are readable by everyone.
I've seen 'journalctl' actually uses ACLs, so maybe it's safe to use ACLs by
default now since systemd is a dependency? In that case, I would chmod the
user-generated units/timers to 640, and add an explicit ACL for 400 user:root
(the same is done by journald when using the 'login' splitting method - so I'm
not using a new method here). This prevents the file to be modified by the
user, while still giving him r/o access. Not that we strictly need it anyway:
640 root:root would be enough.
The description itself contains a copy of the crontab line.
I would actually prefer the normal description to be just "crontab-user:line"
(easier to debug than matching text). It's less noisy in the unit list, and
also easier to grep for.
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (900, 'unstable'), (800, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages systemd-cron depends on:
ii init-system-helpers 1.21
ii python 2.7.8-2
pn python:any <none>
ii systemd-sysv 215-5+b1
systemd-cron recommends no packages.
systemd-cron suggests no packages.
-- debsums errors found:
debsums: changed file /lib/systemd/system-generators/systemd-crontab-generator (from systemd-cron package)
More information about the Pkg-systemd-maintainers
mailing list