Red Hat Bugzilla – Bug 453097
pam_listfile doesn't work for crond
Last modified: 2015-10-25 21:54:50 EDT
Description of problem:
I want to limit some users using crontab. I know /etc/cron.allow may do it, but
it doesn't take effect if a crontab task already exist before this file is
created. So I try pam_listfile.so, but it seems not take effect.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1.create 2 users: user1,user2
2.add a cron task to both user1, user2
*/1 * * * * ls
3.in /etc/pam.d/crond, add this line:
auth required pam_listfile.so onerr=fail item=user sense=allow
4.create /tmp/listfile, add user1 in it.
5. service crond restart
Both the cron task of user1, user2 can be executed
Only user1's cron task can be executed, user2's task should not be executed.
You need at first line in /etc/pam.d/crond this:
account required pam_listfile.so onerr=fail item=user sense=allow
It can't be working with auth.
it's surprised that pam_listfile can't work with crond in auth. From man
pam_listfile, I get:
# deny ftp-access to users listed in the /etc/ftpusers file
auth required pam_listfile.so \
onerr=succeed item=user sense=deny file=/etc/ftpusers
So pam_listfile can work with ftp in auth. I don't know why pam_listfile can't
work with crond in auth?
Because crond doesn't use auth at all. As the cron jobs are running in the
background it makes no sense to call authentication functions - there would be
no way to supply a password to modules etc.