Package: systemd-cron Version: 1.3.1+ds1-1 Severity: minor Generally, crontabs are only visible by the owner.
After #766053 gets fixed, the issue still remains in the sense that the generated units/timers (coming from crontabs) have root:root 644 permissions, which are readable by everyone. I've seen 'journalctl' actually uses ACLs, so maybe it's safe to use ACLs by default now since systemd is a dependency? In that case, I would chmod the user-generated units/timers to 640, and add an explicit ACL for 400 user:root (the same is done by journald when using the 'login' splitting method - so I'm not using a new method here). This prevents the file to be modified by the user, while still giving him r/o access. Not that we strictly need it anyway: 640 root:root would be enough. The description itself contains a copy of the crontab line. I would actually prefer the normal description to be just "crontab-user:line" (easier to debug than matching text). It's less noisy in the unit list, and also easier to grep for. -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (900, 'unstable'), (800, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16-3-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages systemd-cron depends on: ii init-system-helpers 1.21 ii python 2.7.8-2 pn python:any <none> ii systemd-sysv 215-5+b1 systemd-cron recommends no packages. systemd-cron suggests no packages. -- debsums errors found: debsums: changed file /lib/systemd/system-generators/systemd-crontab-generator (from systemd-cron package) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org