Description of problem: I want to limit some users using crontab. I know /etc/cron.allow may do it, but it doesn't take effect if a crontab task already exist before this file is created. So I try pam_listfile.so, but it seems not take effect. Version-Release number of selected component (if applicable): RHEL5.2 vixie-cron-4.1-72.el5 pam-0.99.6.2-3.27.el5 How reproducible: always reproducible Steps to Reproduce: 1.create 2 users: user1,user2 2.add a cron task to both user1, user2 crontab -e: */1 * * * * ls 3.in /etc/pam.d/crond, add this line: auth required pam_listfile.so onerr=fail item=user sense=allow file=/tmp/listfile 4.create /tmp/listfile, add user1 in it. 5. service crond restart Actual results: Both the cron task of user1, user2 can be executed Expected results: Only user1's cron task can be executed, user2's task should not be executed. Additional info:
You need at first line in /etc/pam.d/crond this: account required pam_listfile.so onerr=fail item=user sense=allow file=/tmp/listfile It can't be working with auth.
Hi Marcela, it's surprised that pam_listfile can't work with crond in auth. From man pam_listfile, I get: # # deny ftp-access to users listed in the /etc/ftpusers file # auth required pam_listfile.so \ onerr=succeed item=user sense=deny file=/etc/ftpusers So pam_listfile can work with ftp in auth. I don't know why pam_listfile can't work with crond in auth?
Because crond doesn't use auth at all. As the cron jobs are running in the background it makes no sense to call authentication functions - there would be no way to supply a password to modules etc.