Bug 453097

Summary: pam_listfile doesn't work for crond
Product: Red Hat Enterprise Linux 5 Reporter: Qian Shen <qshen>
Component: crontabsAssignee: Marcela Mašláňová <mmaslano>
Status: CLOSED NOTABUG QA Contact: Brock Organ <borgan>
Severity: low Docs Contact:
Priority: low    
Version: 5.2CC: mzhan
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-06-27 15:02:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Qian Shen 2008-06-27 09:10:02 UTC 
Description of problem:
I want to limit some users using crontab. I know /etc/cron.allow may do it, but
it doesn't take effect if a crontab task  already exist before this file is
created. So I try pam_listfile.so, but it seems  not take effect.

Version-Release number of selected component (if applicable):
RHEL5.2
vixie-cron-4.1-72.el5
pam-0.99.6.2-3.27.el5

How reproducible:

always reproducible

Steps to Reproduce:
1.create 2 users: user1,user2

2.add a cron task to both user1, user2
crontab -e: 
*/1 * * * * ls

3.in /etc/pam.d/crond, add this line:
auth      required   pam_listfile.so onerr=fail item=user sense=allow
file=/tmp/listfile
  
4.create /tmp/listfile, add user1 in it.

5. service crond restart

Actual results:

Both the cron task of  user1, user2 can be executed


Expected results:

Only user1's cron task can be executed, user2's task should not be executed.


Additional info:
Comment 1 Marcela Mašláňová 2008-06-27 15:02:48 UTC 
You need at first line in /etc/pam.d/crond this:
account    required   pam_listfile.so onerr=fail item=user sense=allow
file=/tmp/listfile

It can't be working with auth.
Comment 2 Qian Shen 2008-06-30 01:37:29 UTC 
Hi Marcela,

it's surprised that pam_listfile can't work with crond in auth. From man
pam_listfile, I get:
 
          #
          # deny ftp-access to users listed in the /etc/ftpusers file
          #
          auth    required       pam_listfile.so \
                  onerr=succeed item=user sense=deny file=/etc/ftpusers

So pam_listfile can work with ftp in auth. I don't know why pam_listfile can't
work with crond in auth?
Comment 3 Tomas Mraz 2008-06-30 07:13:35 UTC 
Because crond doesn't use auth at all. As the cron jobs are running in the
background it makes no sense to call authentication functions - there would be
no way to supply a password to modules etc.