Bug 167873
Summary: | cron jobs fail to run after fiddling around in pam.d | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Paul Johnson <pauljohn> |
Component: | vixie-cron | Assignee: | Marcela Mašláňová <mmaslano> |
Status: | CLOSED NOTABUG | QA Contact: | Brock Organ <borgan> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 4 | Keywords: | FutureFeature |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Enhancement | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2006-09-08 13:11:02 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Paul Johnson
2005-09-09 04:18:47 UTC
It sounds like you've installed the pam_mount module ( from http://flyn.org/projects/pam_mount/index.html or http://fedoraproject.org/extras/4/i386/repodata/repoview/pam_mount-0-0.9.25-3.html ) , which is NOT shipped by default with Fedora. I have downloaded pam_mount-0.9.9 from flyn.org, and tried playing around with it. The purpose of this module seems to be to mount user's home directories if they are not mounted when the user first authenticates with a PAM aware application that has pam_mount in its 'auth' service stack. It supports "mount" operations that may require userid and password options, such as those for SMB, NCP, and encrypted-FS, and CLAIMS to support mounts for filesystems that do not require any authentication mount options, such as NFS . But pam_mount REQUIRES that the PAM_AUTHTOK PAM item (the user password) be set when it's pam_sm_authenticate ('auth' service handler) function is called, even if its configuration file contains no volumes that require authentication options (eg. a single NFS volume) - otherwise it will emit the message pam_mount: error trying to retrieve authtok from auth code in its pam_sm_open_session ('session' service handler), not attempt the mount, and fail the open session service call. There is possibly room for improvement in pam_mount here: if it sees that no password is required for a user's mounts in its configuration file, it should not complain and give up if it cannot obtain the user's password from the PAM_AUTHTOK item. By default, pam_unix and most other default PAM 'password' service handlers do not set the PAM_AUTHTOK item to the user's password in pam_sm_authenticate. The pam_ldap module does, however, which is why it is able to be used for pam_mount . crond, like other system daemons that run as root, never has access to the user's password, and must rely on the pam_rootok module to authenticate as the users on behalf of which it runs jobs. pam_rootok never even looks up the user's password, let alone sets PAM_AUTHTOK . So any system services, such as crond and atd, that need to acquire the credentials of other users in order to perform actions on their behalf, but which do not interact with users, cannot use modules such as pam_mount at the moment. It is better security NOT to have the PAM_AUTHTOK pam item set to the user's password in all processes, as it is then easier for attackers to dig passwords out of running process' memory. A better solution for you, rather than modifying the system-auth pam configuration to pam_mount, would be to only modify the pam configuration of the applications that you use to login with, eg. gdm / xdm / kde, sshd, login, to use ldap and pam_mount. Then your home directory would be mounted when you login, and you would not need to modify the system-auth configuration and the configurations which use system-auth such as crond and atd . While I've not had time to analyse pam_mount in detail, it is probably more secure to restrict its use to those services that require it, rather than have it in the system-auth . There is perhaps a need for crond and atd to be able to use pam modules that require the user's password , and do be able to do things like mount their home directories when the job is running . So I will consider this as a request to enhance cron to provide a per-job option that, once it had authenticated as the user with pam_rootok and gained the user's credentials, would make cron look up the users's password, set PAM_AUTHTOK to it, and then open the pam session - that would allow modules such as pam_mount to be used for the crond session service . This bug is hence NOT a security vulnerability, but an enhancement request. I agree with previous maintainer. I close it. |