Bug 5160 - vixie cron is not pam aware
Summary: vixie cron is not pam aware
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: vixie-cron
Version: 1
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Jason Vas Dias
QA Contact:
URL:
Whiteboard:
: 5162 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 1999-09-15 16:32 UTC by Lauri Jesmin
Modified: 2007-11-30 22:10 UTC (History)
3 users (show)

Fixed In Version: vixie-cron-4.1
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2004-08-05 00:19:41 UTC


Attachments (Terms of Use)

Description Lauri Jesmin 1999-09-15 16:32:14 UTC
vixie cron does not use pam and also does not read
/etc/security/limits.conf file. The problem is that if
i normally set limits for all users (number of processes, amount of memory, etc) with just editing /etc/pam.d/(ssh,login,you name it) file
and setting it to use /etc/security/pam_limits.so, then i cant do this for cron.
And users can execute programs by setting cronjobs or at jobs.
To those programs the limits do not apply and so can user override limits set by administrator.

Comment 1 Bill Nottingham 1999-09-17 14:44:59 UTC
*** Bug 5162 has been marked as a duplicate of this bug. ***

vixie cron does not use pam and also does not read
/etc/security/limits.conf file. The problem is that if
i normally set limits for all users (number of processes, amount of memory, etc) with just editing /etc/pam.d/(ssh,login,you name it) file
and setting it to use /etc/security/pam_limits.so, then i cant do this for cron.
And users can execute programs by setting cronjobs or at jobs.
To those programs the limits do not apply and so can user override limits set by administrator.

Comment 2 Preston Brown 2000-01-14 04:09:59 UTC
comments Cristian?  I don't understand pam_limits well enough to tackle this
one.

Comment 3 Henri Schlereth 2000-07-14 03:02:08 UTC
A much more likely solution is to investigate cron.allow and cron.deny, since obvious the users found a way around
restrictions. I believe that such creative violation of rules should be rewarded with the removal of crontab access.

Just an opinion.

Henri

Comment 4 Cristian Gafton 2000-09-06 14:38:29 UTC
I am not sure that making cron PAM aware is something recommended. At least in
my opinion this does look like something that should be handeled through
something like system usage guidelines.


Comment 5 Milan Kerslager 2001-04-09 09:22:31 UTC
As we talk about this issue in testers-list I reopen this bug (Alan told me to 
do so).

The main problem is that anybody can push system to the knees even admin has 
proper limits in /etc/security/limits.conf for users and groups of users. I 
mean this is unacceptable for system stability and security when whole system 
is PAMified and there is two applications which do not honour this wide-system-
policy (atd daemon isn't pamified too).

This couldn't be so hard to include PAM's limits into this application as this 
daemon should change UID to run job for every user and this is wery similar to 
su (think about what doing su), login, sshd and many others programs which are 
PAMified.

Comment 6 Lauri Jesmin 2001-04-09 14:19:40 UTC
Note: 

All ways to execute a program should be PAMified. This includes also apache suEXEC wrapper

and sendmail/procmail (one can execute a program from .procmailrc / .forward files ).

Comment 7 Brent Fox 2002-06-05 01:09:03 UTC
Bill, does this problem still exist?

Comment 8 Bill Huang 2002-06-07 01:42:01 UTC
The problem is still there.I am looking at this problem.

Comment 9 Milan Kerslager 2003-02-12 23:45:22 UTC
What about http://fcron.free.fr? It can replace vixie-cron and anacron too.

Comment 10 Milan Kerslager 2003-05-24 09:53:56 UTC
Vixie cron could be still used for DoS. We are unable to protect a machine via
/etc/security/limits.conf as other access ways are.

Comment 11 Milan Kerslager 2003-06-18 14:07:27 UTC
Alpha3 still has the problem. I'm sure that this is real security problem for
multi-user environment (simple DoS attack is easy).

Comment 12 Jason Vas Dias 2004-07-26 14:35:15 UTC
This will be fixed in Fedora FC3 / RHEL 4 with new vixie-cron 4.1-1,
that will add PAM support - details to follow.


Comment 13 Jason Vas Dias 2004-08-05 00:19:41 UTC
PAM support added - vixie-cron-4.1-7.
You will need to uncomment the last line in /etc/pam.d/crond
to use limits.conf

Comment 14 Saravanan 2005-01-25 07:15:34 UTC
atd is also not PAM aware, an user can bypass
/etc/security/limits.conf if he sumbits a job through at or batch.


Comment 15 Jason Vas Dias 2005-01-25 16:58:33 UTC
Yes, atd authentication should be controlled by PAM .
This is on my to-do list - I'll be starting work on it this week.
I've raised bug #146132 against at(1) for this issue - please use
this new bug and not this old vixie-cron 5610 bug - thanks.


Note You need to log in before you can comment on or make changes to this bug.