Bug 541189

Summary: cron and /etc/security/pam_env.conf problem
Product: Red Hat Enterprise Linux 5 Reporter: Masahiro Matsuya <mmatsuya>
Component: vixie-cronAssignee: Marcela Mašláňová <mmaslano>
Status: CLOSED ERRATA QA Contact: qe-baseos-daemons
Severity: urgent Docs Contact:
Priority: urgent    
Version: 5.4CC: azelinka, ovasik, plyons, psklenar, shantikatta, tao, theo_nra
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-02-20 22:13:33 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 502912, 546568    
Description Flags
proposed patch
Building environment. none

Description Masahiro Matsuya 2009-11-25 02:15:57 EST
Description of problem:

 cron does not implement environment variables set in /etc/security/pam_env.conf. 
 The file /etc/pam.d/crond has pam_env.so as required for auth, not for session.

 The cron man page says:
    PAM Access Control
    On Red Hat systems, crond now supports access control with PAM  -  see
    pam(8).    A PAM   configuration  file  for crond  is installed  in
    /etc/pam.d/crond.  crond loads the PAM  environment  from  the pam_env
    module, but these can be overriden by settings in the crontab file.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:

  1) create a file /etc/cron.hourly/callenv.cron containing

   printenv FLEGMATE
   echo $FLEGMATE
  2) added to /etc/security/pam_env.conf:

  3) log out and login to make sure FLEGMATE is part of env

   # printenv FLEGMATE

  4)   Created crontab with crontab -e
   00 * * * *  /etc/cron.hourly/callenv.cron
   05 * * * *  /etc/cron.hourly/callenv.cron
   10 * * * *  /etc/cron.hourly/callenv.cron
   15 * * * *  /etc/cron.hourly/callenv.cron
   25 * * * *  /etc/cron.hourly/callenv.cron
   35 * * * *  /etc/cron.hourly/callenv.cron
   45 * * * *  /etc/cron.hourly/callenv.cron
   55 * * * *  /etc/cron.hourly/callenv.cron

  5) The email from cron is as follows (FLEGMATE not present)

  # mail
  Mail version 8.1 6/6/93.  Type ? for help.
  "/var/spool/mail/testuser": 1 message 1 new
  >N  1 root@test.net  Thu Nov 12 12:25  30/960   "Cron <testuser@test> /"
  & 1
  Message 1:
  From testuser@test.net  Thu Nov 12 12:25:01 2009
  Date: Thu, 12 Nov 2009 12:25:01 -0600
  From: root@test.net (Cron Daemon)
  To: testuser@test.net
  Subject: Cron <testuser@test> /etc/cron.hourly/callenv.cron
  Content-Type: text/plain; charset=UTF-8
  Auto-Submitted: auto-generated
  X-Cron-Env: <SHELL=/bin/sh>
  X-Cron-Env: <HOME=/home/testuser>
  X-Cron-Env: <PATH=/usr/bin:/bin>
  X-Cron-Env: <LOGNAME=testuser>
  X-Cron-Env: <USER=testuser>

Actual results:

  FLEGMATE is not defined in the cron script

Expected results:

  FLEGMATE is defined in the cron script

Additional info:

It's needed that 'auth required' is replaced by 'session required'. But, it's not enough for this issue.

There is a problem in cron_set_job_security_context() of security.c.

int cron_set_job_security_context( entry *e, user *u, char ***jobenv )
   if ( cron_open_security_session( e->pwd ) != 0 )
       syslog(LOG_INFO, "CRON (%s) ERROR: failed to open PAM security session: %s",
              e->pwd->pw_name, strerror(errno)
       return -1;

   *jobenv = build_env( e->envp );
   if ( cron_get_job_range(u, &ucontext, *jobenv) < OK )

   if ( cron_start_security_session( e->pwd ) != 0 )
       syslog(LOG_INFO, "CRON (%s) ERROR: failed to open PAM security session: %s",
              e->pwd->pw_name, strerror(errno)
       return -1;

The env variables are configured in build_env(). On the other hand, the variables defined in /etc/security/pam_env.conf are read in cron_start_security_session(). This means that build_env() is executed before cron_start_security_session(). As the result, the env variables read in cron_start_security_session are not reflected. Clearly, the execution of build_env() needs to be after cron_start_security_session().
jobenv is used in cron_get_job_range(), so we cannot remove build_env().

I created a patch. This patch executes build_env() twice in cron_set_job_security_context() and changes crond.pam.


Comment 1 Masahiro Matsuya 2009-11-25 02:18:41 EST
Created attachment 373675 [details]
proposed patch

I confirmed that this issue was gone by this patch.
Comment 5 Marcela Mašláňová 2009-12-10 05:16:07 EST
The patch isn't fully correct. I'm working on new one.
Comment 6 Marcela Mašláňová 2009-12-10 09:40:22 EST
Created attachment 377461 [details]
Building environment.
Comment 7 Marcela Mašláňová 2009-12-10 09:42:28 EST
The correct pam configuration:
auth       sufficient pam_env.so
auth       required   pam_rootok.so
auth       include    system-auth
account    required   pam_access.so
account    include    system-auth
session    required   pam_loginuid.so
session    include    system-auth

It was tested with the new patch and this pam configuration.
Comment 20 errata-xmlrpc 2012-02-20 22:13:33 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.