*** This bug is a security vulnerability *** You have been subscribed to a public security bug by Seth Arnold (seth-arnold):
/etc/cron.allow is meant to list the users who are allowed to execute crontab. For a user who is not listed, the output should be: $ crontab -e You (ubuntu) are not allowed to use this program (crontab) See crontab(1) for more information When /etc/cron.allow is not readable by that user, though, it's treated as though the file doesn't exist at all: $ sudo chmod o-r /etc/cron.allow $ crontab -e <opens the crontab editor; on exit: > crontab: installing new crontab The obvious workaround is to ensure that /etc/cron.allow is world readable, but unfortunately there are a lot of security tools and documentation out there that explicitly require both using cron.allow and also setting the permission on cron-related files to 600. Examples include https://secscan.acron.pl/ubuntu1604/5/1/8 and the CIS Level 1 benchmark for Ubuntu. The result of this bug is that a sysadmin attempting to lock down cron by following standard security guidance will fail to do so. ** Affects: cron (Ubuntu) Importance: Undecided Status: New -- User without read permission on cron.allow can execute crontab https://bugs.launchpad.net/bugs/1813833 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs