Bug 802511

Summary: crontab commands fail because of pam configuration
Product: Red Hat Enterprise Linux 5 Reporter: Alan Mikolajczuk <alan.mikolajczuk>
Component: vixie-cronAssignee: Marcela Mašláňová <mmaslano>
Status: CLOSED NOTABUG QA Contact: qe-baseos-daemons
Severity: medium Docs Contact:
Priority: unspecified    
Version: 5.8CC: tmraz
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-03-13 13:37:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
/etc/environment
none
/etc/pam.d/system-auth-local none

Description Alan Mikolajczuk 2012-03-12 17:29:06 UTC 
Description of problem:
if /etc/environment contains "mesg n" or "mesg -n" then all crontab commands run as root will fail indicating that root is not allowed to access crontab because of the pam configuration

  - selinux is permisive
  - default /etc/pam.d/crond file
  - custom /etc/pam.d/system-auth file
  - cron.allow contains root

I believe that this is issue is being caused by BZ#249512

Version-Release number of selected component (if applicable):
vixie-cron-4.1-81.el5

How reproducible:


Steps to Reproduce:
1. # crontab -l
2.
3.
  
Actual results:
Bad Item Passed to pam_*_item()
you (root)are not allowed to access to (crontab) because of pam configuration 

Expected results:
scheduled jobs displayed

Additional info:
The DISA checklist for Unix/RHEL5 requires that "mesg n" or "mesg -n" be in /etc/environment. See V-825 or GEN001780.
Comment 1 Tomas Mraz 2012-03-13 11:12:09 UTC 
Can you please attach the contents of your /etc/environment and /etc/pam.d/system-auth ?
Comment 2 Alan Mikolajczuk 2012-03-13 11:56:02 UTC 
Created attachment 569657 [details]
/etc/environment
Comment 3 Alan Mikolajczuk 2012-03-13 11:58:07 UTC 
Created attachment 569659 [details]
/etc/pam.d/system-auth-local

The default symbolic link of system-auth pointing to system-ayth-ac was removed and replaced with system-auth pointing to system-auth-local.
Comment 4 Tomas Mraz 2012-03-13 13:37:11 UTC 
Either drop the nonsensical 'mesg n' from the /etc/environment or change pam_env line in system-auth to be:

auth        [default=ignore]      pam_env.so

The /etc/environment is not read by anything else than pam_env nowadays and it does not make any sense to put there lines that are not in the name=value syntax. Basically your /etc/environment is broken and if DISA checklist explicitly mentions adding 'mesg n' to it, then it should be corrected.
Comment 5 Alan Mikolajczuk 2012-03-13 13:45:10 UTC 
(In reply to comment #4)
> Either drop the nonsensical 'mesg n' from the /etc/environment or change
> pam_env line in system-auth to be:
> 
> auth        [default=ignore]      pam_env.so
> 
> The /etc/environment is not read by anything else than pam_env nowadays and it
> does not make any sense to put there lines that are not in the name=value
> syntax. Basically your /etc/environment is broken and if DISA checklist
> explicitly mentions adding 'mesg n' to it, then it should be corrected.

Thank you.