Cron jobs output are sent to the network by default
Robert Marcano
robert at marcanoonline.com
Tue Oct 28 17:50:08 UTC 2014
I created a new bug [1] that explains that ssmtp is sending all cron
jobs output to an external SMTP server. I marked it as a security bug,
the security tag was removed and it was recommend to make it public,
something I can't do. I will resume the problem here, because there are
comments that says that it isn't a security bug, I disagree:
1- Fedora 20 shipped with the feature of not running a SMTP server by
default, I was fine with it because I don't need to send emails or
receive emails locally using it.
2- an update pulled ssmtp
Apr 20 19:06:14 Installed: ssmtp-2.64-11.fc20.x86_64
Apr 20 19:06:15 Updated: 1:smartmontools-6.2-5.fc20.x86_64
3- ssmtp is configured by default to send emails to a host named mail
4- If a cron jobs runs the email is sent to mail.[your.domain] without
you ever configuring that.
5- I don't care about the crob job output, I noticed by chance that this
was happening because I have a cron job to do fstrim weekly and the
output was sent to a server I manage and that has the root alias set to me.
6- People can be writing cron jobs, that like me, don't care about the
output email, but don't know that output is being sent to a probably
third party server without their knowledge (your ISP mail server?),
those emails could be a potential leak of private information. Fedora 20
was supposed to not send them because it featured a no SMTP server
feature [2] and one of the most discussed things was that with the
absence of the SMTP server cron jobs will only be logged.
I am not saying that the bug is with ssmtp, but ssmtp should require
manual configuration, or no one should be pulling it like smartmontools
or redhat-lsb
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1157727
[2]
http://docs.fedoraproject.org/en-US/Fedora/20/html/Release_Notes/sect-Release_Notes-Changes_for_Sysadmin.html#idm219017868704
More information about the devel
mailing list