170883 – rhel4-u2 adds pam_access restriction

Bug 170883 - rhel4-u2 adds pam_access restriction

Summary: rhel4-u2 adds pam_access restriction

Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 4
Classification:	Red Hat
Component:	vixie-cron
Sub Component:
Version:	4.0
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Jason Vas Dias
QA Contact:	Brock Organ
Docs Contact:
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2005-10-14 22:19 UTC by Matthew Galgoci
Modified:	2007-11-30 22:07 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:
Doc Text:	(edit)
Clone Of:
Environment:	(edit)
Last Closed:	2005-10-15 20:49:10 UTC

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Matthew Galgoci 2005-10-14 22:19:52 UTC

Description of problem:

rhel4 introduced a modified pam config file for vixie-cron that added pam_access
account checking. This caused a handful of cronjobs on restricted shell servers
(restricted by pam_access) to fail.

There was no warning from rpm that the pam config file changed between
vixie-cron versions :(

Version-Release number of selected component (if applicable):

vixie-cron-4.1-36.EL4

How reproducible:

100%

Steps to Reproduce:

use pam_access to restrict login to a shell server. Administratively add a
crontab either in /etc/cron.d or as a user for which the user is denied in the
access.conf file. cronjob will fail.

This is a simple case of 'my cronjobs stopped running on my batch job server
after applying u2'.

Comment 3 Jason Vas Dias 2005-10-15 20:49:10 UTC

The vixie-cron update in U2 allowed the pam_access module to be used :
Bug 163882 - whereas before, it could not be. 

In addition, the /etc/pam.d/crond file HAD to be changed in U2 to enable
the pam_loginuid module for CAPP/EAL3 certification. There is no way that
users could have been notified of this change - sorry.

One of the main reasons for enabling PAM authentication for cron was
give admins the ability to restrict access to the cron service to certain
users / groups, and the way this is done with PAM is with pam_access.

You should not deny all access to all ttys in access.conf - access should
be granted per-terminal / service, so you could have an access.conf like:

-:ALL EXCEPT root:ALL EXCEPT LOCAL cron
+:ALL:cron

Other solutions are to remove the 
  'account required pam_access.so'
from /etc/pam.d/cron, or to add a cron specific access.conf file:
  'account required pam_access.so accessfile=/etc/security/cron_access.conf'
Or to add an sshd specific access file to /etc/pam.d/sshd:
  'account required pam_access.so accessfile=/etc/security/sshd_access.conf'

Many other services use pam_access, and you should not deny all services
in the global access.conf,  but should restrict access per-service.

You've already modified the default access.conf and sshd pam configuration
files - all the pam configuration files and access.conf files are meant to be
user configurable.

This problem does not occur with the default pam configuration and access.conf
files as shipped with RHEL-4-U2. 

We cannot guarantee that all user-modified configurations will always work :-) .
This is NOTABUG, as nothing within the vixie-cron package caused this problem ,
and it is not a problem with the default configuration.

Note You need to log in before you can comment on or make changes to this bug.