Bug#1004414: systemd-cron: generator turns crontabs public readable
Alexandre Detiste
alexandre.detiste at gmail.com
Wed Feb 2 01:03:02 GMT 2022
This is pointless.
Nothing can be done to really improve the situation, as anybody can
look around in /proc .
Le jeu. 27 janv. 2022 à 04:21, Robert Siemer
<Robert.Siemer-reportbug at backsla.sh> a écrit :
>
> Package: systemd-cron
> Version: 1.15.18-1
> Severity: normal
> Tags: security
> X-Debbugs-Cc: Robert.Siemer-reportbug at backsla.sh, Debian Security Team <team at security.debian.org>
>
> Crontabs, especially in /var/spool/cron are not readable to all users.
> Translated command lines in unit files in
> /run/systemd/generator on the other hand are.
>
> Shell variable assignments, written before a command would turn
> readable to everyone, which they are otherwise never.
>
> Further: the changed situation improves the opportunities for
> snooping around. On purpose?
>
> Regards,
> Robert
>
>
> -- Package-specific info:
> -- output of systemd-delta
>
> -- System Information:
> Debian Release: bookworm/sid
> APT prefers stable-security
> APT policy: (500, 'stable-security'), (500, 'unstable')
> Architecture: i386 (i686)
>
> Kernel: Linux 5.10.0-8-686-pae (SMP w/2 CPU threads)
> Kernel taint flags: TAINT_UNSIGNED_MODULE
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
> LSM: AppArmor: enabled
>
> Versions of packages systemd-cron depends on:
> ii libc6 2.33-3
> ii python3 3.9.8-1
> ii systemd [systemd-sysusers] 250.3-1
> ii systemd-sysv 250.3-1
>
> Versions of packages systemd-cron recommends:
> ii postfix [mail-transport-agent] 3.6.4-1
>
> systemd-cron suggests no packages.
>
> -- no debconf information
>
More information about the Pkg-systemd-maintainers
mailing list