Bug 5160 - vixie cron is not pam aware
vixie cron is not pam aware
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: vixie-cron (Show other bugs)
1
All Linux
medium Severity medium
: ---
: ---
Assigned To: Jason Vas Dias
: FutureFeature
: 5162 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 1999-09-15 12:32 EDT by Lauri Jesmin
Modified: 2007-11-30 17:10 EST (History)
3 users (show)

See Also:
Fixed In Version: vixie-cron-4.1
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-08-04 20:19:41 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Lauri Jesmin 1999-09-15 12:32:14 EDT
vixie cron does not use pam and also does not read
/etc/security/limits.conf file. The problem is that if
i normally set limits for all users (number of processes, amount of memory, etc) with just editing /etc/pam.d/(ssh,login,you name it) file
and setting it to use /etc/security/pam_limits.so, then i cant do this for cron.
And users can execute programs by setting cronjobs or at jobs.
To those programs the limits do not apply and so can user override limits set by administrator.
Comment 1 Bill Nottingham 1999-09-17 10:44:59 EDT
*** Bug 5162 has been marked as a duplicate of this bug. ***

vixie cron does not use pam and also does not read
/etc/security/limits.conf file. The problem is that if
i normally set limits for all users (number of processes, amount of memory, etc) with just editing /etc/pam.d/(ssh,login,you name it) file
and setting it to use /etc/security/pam_limits.so, then i cant do this for cron.
And users can execute programs by setting cronjobs or at jobs.
To those programs the limits do not apply and so can user override limits set by administrator.
Comment 2 Preston Brown 2000-01-13 23:09:59 EST
comments Cristian?  I don't understand pam_limits well enough to tackle this
one.
Comment 3 Henri Schlereth 2000-07-13 23:02:08 EDT
A much more likely solution is to investigate cron.allow and cron.deny, since obvious the users found a way around
restrictions. I believe that such creative violation of rules should be rewarded with the removal of crontab access.

Just an opinion.

Henri
Comment 4 Cristian Gafton 2000-09-06 10:38:29 EDT
I am not sure that making cron PAM aware is something recommended. At least in
my opinion this does look like something that should be handeled through
something like system usage guidelines.
Comment 5 Milan Kerslager 2001-04-09 05:22:31 EDT
As we talk about this issue in testers-list I reopen this bug (Alan told me to 
do so).

The main problem is that anybody can push system to the knees even admin has 
proper limits in /etc/security/limits.conf for users and groups of users. I 
mean this is unacceptable for system stability and security when whole system 
is PAMified and there is two applications which do not honour this wide-system-
policy (atd daemon isn't pamified too).

This couldn't be so hard to include PAM's limits into this application as this 
daemon should change UID to run job for every user and this is wery similar to 
su (think about what doing su), login, sshd and many others programs which are 
PAMified.
Comment 6 Lauri Jesmin 2001-04-09 10:19:40 EDT
Note: 

All ways to execute a program should be PAMified. This includes also apache suEXEC wrapper

and sendmail/procmail (one can execute a program from .procmailrc / .forward files ).
Comment 7 Brent Fox 2002-06-04 21:09:03 EDT
Bill, does this problem still exist?
Comment 8 Bill Huang 2002-06-06 21:42:01 EDT
The problem is still there.I am looking at this problem.
Comment 9 Milan Kerslager 2003-02-12 18:45:22 EST
What about http://fcron.free.fr? It can replace vixie-cron and anacron too.
Comment 10 Milan Kerslager 2003-05-24 05:53:56 EDT
Vixie cron could be still used for DoS. We are unable to protect a machine via
/etc/security/limits.conf as other access ways are.
Comment 11 Milan Kerslager 2003-06-18 10:07:27 EDT
Alpha3 still has the problem. I'm sure that this is real security problem for
multi-user environment (simple DoS attack is easy).
Comment 12 Jason Vas Dias 2004-07-26 10:35:15 EDT
This will be fixed in Fedora FC3 / RHEL 4 with new vixie-cron 4.1-1,
that will add PAM support - details to follow.
Comment 13 Jason Vas Dias 2004-08-04 20:19:41 EDT
PAM support added - vixie-cron-4.1-7.
You will need to uncomment the last line in /etc/pam.d/crond
to use limits.conf
Comment 14 Saravanan 2005-01-25 02:15:34 EST
atd is also not PAM aware, an user can bypass
/etc/security/limits.conf if he sumbits a job through at or batch.
Comment 15 Jason Vas Dias 2005-01-25 11:58:33 EST
Yes, atd authentication should be controlled by PAM .
This is on my to-do list - I'll be starting work on it this week.
I've raised bug #146132 against at(1) for this issue - please use
this new bug and not this old vixie-cron 5610 bug - thanks.

Note You need to log in before you can comment on or make changes to this bug.