Bug 453097 - pam_listfile doesn't work for crond
pam_listfile doesn't work for crond
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: crontabs (Show other bugs)
5.2
All Linux
low Severity low
: rc
: ---
Assigned To: Marcela Mašláňová
Brock Organ
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-06-27 05:10 EDT by Qian Shen
Modified: 2015-10-25 21:54 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-06-27 11:02:48 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Qian Shen 2008-06-27 05:10:02 EDT
Description of problem:
I want to limit some users using crontab. I know /etc/cron.allow may do it, but
it doesn't take effect if a crontab task  already exist before this file is
created. So I try pam_listfile.so, but it seems  not take effect.

Version-Release number of selected component (if applicable):
RHEL5.2
vixie-cron-4.1-72.el5
pam-0.99.6.2-3.27.el5

How reproducible:

always reproducible

Steps to Reproduce:
1.create 2 users: user1,user2

2.add a cron task to both user1, user2
crontab -e: 
*/1 * * * * ls

3.in /etc/pam.d/crond, add this line:
auth      required   pam_listfile.so onerr=fail item=user sense=allow
file=/tmp/listfile
  
4.create /tmp/listfile, add user1 in it.

5. service crond restart

Actual results:

Both the cron task of  user1, user2 can be executed


Expected results:

Only user1's cron task can be executed, user2's task should not be executed.


Additional info:
Comment 1 Marcela Mašláňová 2008-06-27 11:02:48 EDT
You need at first line in /etc/pam.d/crond this:
account    required   pam_listfile.so onerr=fail item=user sense=allow
file=/tmp/listfile

It can't be working with auth.
Comment 2 Qian Shen 2008-06-29 21:37:29 EDT
Hi Marcela,

it's surprised that pam_listfile can't work with crond in auth. From man
pam_listfile, I get:
 
          #
          # deny ftp-access to users listed in the /etc/ftpusers file
          #
          auth    required       pam_listfile.so \
                  onerr=succeed item=user sense=deny file=/etc/ftpusers

So pam_listfile can work with ftp in auth. I don't know why pam_listfile can't
work with crond in auth?


Comment 3 Tomas Mraz 2008-06-30 03:13:35 EDT
Because crond doesn't use auth at all. As the cron jobs are running in the
background it makes no sense to call authentication functions - there would be
no way to supply a password to modules etc.

Note You need to log in before you can comment on or make changes to this bug.