** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cron in Ubuntu. https://bugs.launchpad.net/bugs/1813833
Title: User without read permission on cron.allow can execute crontab Status in cron package in Ubuntu: New Bug description: /etc/cron.allow is meant to list the users who are allowed to execute crontab. For a user who is not listed, the output should be: $ crontab -e You (ubuntu) are not allowed to use this program (crontab) See crontab(1) for more information When /etc/cron.allow is not readable by that user, though, it's treated as though the file doesn't exist at all: $ sudo chmod o-r /etc/cron.allow $ crontab -e <opens the crontab editor; on exit: > crontab: installing new crontab The obvious workaround is to ensure that /etc/cron.allow is world readable, but unfortunately there are a lot of security tools and documentation out there that explicitly require both using cron.allow and also setting the permission on cron-related files to 600. Examples include https://secscan.acron.pl/ubuntu1604/5/1/8 and the CIS Level 1 benchmark for Ubuntu. The result of this bug is that a sysadmin attempting to lock down cron by following standard security guidance will fail to do so. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cron/+bug/1813833/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
