[Bug 1813833] Re: User without read permission on cron.allow can execute crontab

[Marc Deslauriers]

** Changed in: cron (Ubuntu)
       Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to cron in Ubuntu.
https://bugs.launchpad.net/bugs/1813833

Title:
  User without read permission on cron.allow can execute crontab

Status in cron package in Ubuntu:
  Confirmed

Bug description:
  /etc/cron.allow is meant to list the users who are allowed to execute
  crontab. For a user who is not listed, the output should be:

  $ crontab -e
  You (ubuntu) are not allowed to use this program (crontab)
  See crontab(1) for more information

  When /etc/cron.allow is not readable by that user, though, it's
  treated as though the file doesn't exist at all:

  $ sudo chmod o-r /etc/cron.allow 
  $ crontab -e
  <opens the crontab editor; on exit: >
  crontab: installing new crontab

  The obvious workaround is to ensure that /etc/cron.allow is world
  readable, but unfortunately there are a lot of security tools and
  documentation out there that explicitly require both using cron.allow
  and also setting the permission on cron-related files to 600. Examples
  include https://secscan.acron.pl/ubuntu1604/5/1/8 and the CIS Level 1
  benchmark for Ubuntu.

  The result of this bug is that a sysadmin attempting to lock down cron
  by following standard security guidance will fail to do so.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cron/+bug/1813833/+subscriptions