Bug#1004414: systemd-cron: generator turns crontabs public readable
Robert Siemer
Robert.Siemer-reportbug at backsla.sh
Thu Jan 27 03:17:06 GMT 2022
Package: systemd-cron
Version: 1.15.18-1
Severity: normal
Tags: security
X-Debbugs-Cc: Robert.Siemer-reportbug at backsla.sh, Debian Security Team <team at security.debian.org>
Crontabs, especially in /var/spool/cron are not readable to all users.
Translated command lines in unit files in
/run/systemd/generator on the other hand are.
Shell variable assignments, written before a command would turn
readable to everyone, which they are otherwise never.
Further: the changed situation improves the opportunities for
snooping around. On purpose?
Regards,
Robert
-- Package-specific info:
-- output of systemd-delta
-- System Information:
Debian Release: bookworm/sid
APT prefers stable-security
APT policy: (500, 'stable-security'), (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 5.10.0-8-686-pae (SMP w/2 CPU threads)
Kernel taint flags: TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages systemd-cron depends on:
ii libc6 2.33-3
ii python3 3.9.8-1
ii systemd [systemd-sysusers] 250.3-1
ii systemd-sysv 250.3-1
Versions of packages systemd-cron recommends:
ii postfix [mail-transport-agent] 3.6.4-1
systemd-cron suggests no packages.
-- no debconf information
More information about the Pkg-systemd-maintainers
mailing list