Bug 541189

Summary: cron and /etc/security/pam_env.conf problem
Product: Red Hat Enterprise Linux 5 Reporter: Masahiro Matsuya <mmatsuya>
Component: vixie-cronAssignee: Marcela Mašláňová <mmaslano>
Status: CLOSED ERRATA QA Contact: qe-baseos-daemons
Severity: urgent Docs Contact:
Priority: urgent    
Version: 5.4CC: azelinka, ovasik, plyons, psklenar, shantikatta, tao, theo_nra
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-02-21 03:13:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 502912, 546568    
Attachments:
Description Flags
proposed patch
none
Building environment. none

Description Masahiro Matsuya 2009-11-25 07:15:57 UTC 
Description of problem:

 cron does not implement environment variables set in /etc/security/pam_env.conf. 
 The file /etc/pam.d/crond has pam_env.so as required for auth, not for session.

 The cron man page says:
 
    PAM Access Control
    On Red Hat systems, crond now supports access control with PAM  -  see
    pam(8).    A PAM   configuration  file  for crond  is installed  in
    /etc/pam.d/crond.  crond loads the PAM  environment  from  the pam_env
    module, but these can be overriden by settings in the crontab file.

Version-Release number of selected component (if applicable):

  vixie-cron-4.1-76.el5-x86_64

How reproducible:

  Always

Steps to Reproduce:

  1) create a file /etc/cron.hourly/callenv.cron containing

   env
   printenv FLEGMATE
   echo $FLEGMATE
 
  2) added to /etc/security/pam_env.conf:
 
   FLEGMATE  DEFAULT="one"   OVERRIDE="two"

  3) log out and login to make sure FLEGMATE is part of env

   # printenv FLEGMATE
   two

  4)   Created crontab with crontab -e
 
   00 * * * *  /etc/cron.hourly/callenv.cron
   05 * * * *  /etc/cron.hourly/callenv.cron
   10 * * * *  /etc/cron.hourly/callenv.cron
   15 * * * *  /etc/cron.hourly/callenv.cron
   25 * * * *  /etc/cron.hourly/callenv.cron
   35 * * * *  /etc/cron.hourly/callenv.cron
   45 * * * *  /etc/cron.hourly/callenv.cron
   55 * * * *  /etc/cron.hourly/callenv.cron

  5) The email from cron is as follows (FLEGMATE not present)

  # mail
  Mail version 8.1 6/6/93.  Type ? for help.
  "/var/spool/mail/testuser": 1 message 1 new
  >N  1 root  Thu Nov 12 12:25  30/960   "Cron <testuser@test> /"
  & 1
  Message 1:
  From testuser  Thu Nov 12 12:25:01 2009
  Date: Thu, 12 Nov 2009 12:25:01 -0600
  From: root (Cron Daemon)
  To: testuser
  Subject: Cron <testuser@test> /etc/cron.hourly/callenv.cron
  Content-Type: text/plain; charset=UTF-8
  Auto-Submitted: auto-generated
  X-Cron-Env: <SHELL=/bin/sh>
  X-Cron-Env: <HOME=/home/testuser>
  X-Cron-Env: <PATH=/usr/bin:/bin>
  X-Cron-Env: <LOGNAME=testuser>
  X-Cron-Env: <USER=testuser>
  
  SHELL=/bin/sh
  USER=testuser
  PATH=/usr/bin:/bin
  _=/usr/bin/env
  PWD=/home/testuser
  HOME=/home/testuser
  SHLVL=2
  LOGNAME=testuser

Actual results:

  FLEGMATE is not defined in the cron script

Expected results:

  FLEGMATE is defined in the cron script

Additional info:

It's needed that 'auth required' is replaced by 'session required'. But, it's not enough for this issue.

There is a problem in cron_set_job_security_context() of security.c.

-----------------------
int cron_set_job_security_context( entry *e, user *u, char ***jobenv )
{
   ...
   if ( cron_open_security_session( e->pwd ) != 0 )
   {
       syslog(LOG_INFO, "CRON (%s) ERROR: failed to open PAM security session: %s",
              e->pwd->pw_name, strerror(errno)
             );
       return -1;
   }

   *jobenv = build_env( e->envp );
  
   ...
   if ( cron_get_job_range(u, &ucontext, *jobenv) < OK )
   ...

   if ( cron_start_security_session( e->pwd ) != 0 )
   {
       syslog(LOG_INFO, "CRON (%s) ERROR: failed to open PAM security session: %s",
              e->pwd->pw_name, strerror(errno)
             );
       return -1;
   }
-----------------------

The env variables are configured in build_env(). On the other hand, the variables defined in /etc/security/pam_env.conf are read in cron_start_security_session(). This means that build_env() is executed before cron_start_security_session(). As the result, the env variables read in cron_start_security_session are not reflected. Clearly, the execution of build_env() needs to be after cron_start_security_session().
jobenv is used in cron_get_job_range(), so we cannot remove build_env().

I created a patch. This patch executes build_env() twice in cron_set_job_security_context() and changes crond.pam.

Thanks,

Masahiro
Comment 1 Masahiro Matsuya 2009-11-25 07:18:41 UTC 
Created attachment 373675 [details]
proposed patch

I confirmed that this issue was gone by this patch.
Comment 5 Marcela Mašláňová 2009-12-10 10:16:07 UTC 
The patch isn't fully correct. I'm working on new one.
Comment 6 Marcela Mašláňová 2009-12-10 14:40:22 UTC 
Created attachment 377461 [details]
Building environment.
Comment 7 Marcela Mašláňová 2009-12-10 14:42:28 UTC 
The correct pam configuration:
auth       sufficient pam_env.so
auth       required   pam_rootok.so
auth       include    system-auth
account    required   pam_access.so
account    include    system-auth
session    required   pam_loginuid.so
session    include    system-auth

It was tested with the new patch and this pam configuration.
Comment 20 errata-xmlrpc 2012-02-21 03:13:33 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2012-0304.html