Red Hat Bugzilla – Bug 170883
rhel4-u2 adds pam_access restriction
Last modified: 2007-11-30 17:07:21 EST
Description of problem:
rhel4 introduced a modified pam config file for vixie-cron that added pam_access
account checking. This caused a handful of cronjobs on restricted shell servers
(restricted by pam_access) to fail.
There was no warning from rpm that the pam config file changed between
vixie-cron versions :(
Version-Release number of selected component (if applicable):
Steps to Reproduce:
use pam_access to restrict login to a shell server. Administratively add a
crontab either in /etc/cron.d or as a user for which the user is denied in the
access.conf file. cronjob will fail.
This is a simple case of 'my cronjobs stopped running on my batch job server
after applying u2'.
The vixie-cron update in U2 allowed the pam_access module to be used :
Bug 163882 - whereas before, it could not be.
In addition, the /etc/pam.d/crond file HAD to be changed in U2 to enable
the pam_loginuid module for CAPP/EAL3 certification. There is no way that
users could have been notified of this change - sorry.
One of the main reasons for enabling PAM authentication for cron was
give admins the ability to restrict access to the cron service to certain
users / groups, and the way this is done with PAM is with pam_access.
You should not deny all access to all ttys in access.conf - access should
be granted per-terminal / service, so you could have an access.conf like:
-:ALL EXCEPT root:ALL EXCEPT LOCAL cron
Other solutions are to remove the
'account required pam_access.so'
from /etc/pam.d/cron, or to add a cron specific access.conf file:
'account required pam_access.so accessfile=/etc/security/cron_access.conf'
Or to add an sshd specific access file to /etc/pam.d/sshd:
'account required pam_access.so accessfile=/etc/security/sshd_access.conf'
Many other services use pam_access, and you should not deny all services
in the global access.conf, but should restrict access per-service.
You've already modified the default access.conf and sshd pam configuration
files - all the pam configuration files and access.conf files are meant to be
This problem does not occur with the default pam configuration and access.conf
files as shipped with RHEL-4-U2.
We cannot guarantee that all user-modified configurations will always work :-) .
This is NOTABUG, as nothing within the vixie-cron package caused this problem ,
and it is not a problem with the default configuration.