Bug 541189
| Summary: | cron and /etc/security/pam_env.conf problem | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Masahiro Matsuya <mmatsuya> | ||||||
| Component: | vixie-cron | Assignee: | Marcela Mašláňová <mmaslano> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | qe-baseos-daemons | ||||||
| Severity: | urgent | Docs Contact: | |||||||
| Priority: | urgent | ||||||||
| Version: | 5.4 | CC: | azelinka, ovasik, plyons, psklenar, shantikatta, tao, theo_nra | ||||||
| Target Milestone: | rc | Keywords: | ZStream | ||||||
| Target Release: | --- | ||||||||
| Hardware: | All | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2012-02-21 03:13:33 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Bug Depends On: | |||||||||
| Bug Blocks: | 502912, 546568 | ||||||||
| Attachments: |
|
||||||||
Created attachment 373675 [details]
proposed patch
I confirmed that this issue was gone by this patch.
The patch isn't fully correct. I'm working on new one. Created attachment 377461 [details]
Building environment.
The correct pam configuration: auth sufficient pam_env.so auth required pam_rootok.so auth include system-auth account required pam_access.so account include system-auth session required pam_loginuid.so session include system-auth It was tested with the new patch and this pam configuration. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2012-0304.html |
Description of problem: cron does not implement environment variables set in /etc/security/pam_env.conf. The file /etc/pam.d/crond has pam_env.so as required for auth, not for session. The cron man page says: PAM Access Control On Red Hat systems, crond now supports access control with PAM - see pam(8). A PAM configuration file for crond is installed in /etc/pam.d/crond. crond loads the PAM environment from the pam_env module, but these can be overriden by settings in the crontab file. Version-Release number of selected component (if applicable): vixie-cron-4.1-76.el5-x86_64 How reproducible: Always Steps to Reproduce: 1) create a file /etc/cron.hourly/callenv.cron containing env printenv FLEGMATE echo $FLEGMATE 2) added to /etc/security/pam_env.conf: FLEGMATE DEFAULT="one" OVERRIDE="two" 3) log out and login to make sure FLEGMATE is part of env # printenv FLEGMATE two 4) Created crontab with crontab -e 00 * * * * /etc/cron.hourly/callenv.cron 05 * * * * /etc/cron.hourly/callenv.cron 10 * * * * /etc/cron.hourly/callenv.cron 15 * * * * /etc/cron.hourly/callenv.cron 25 * * * * /etc/cron.hourly/callenv.cron 35 * * * * /etc/cron.hourly/callenv.cron 45 * * * * /etc/cron.hourly/callenv.cron 55 * * * * /etc/cron.hourly/callenv.cron 5) The email from cron is as follows (FLEGMATE not present) # mail Mail version 8.1 6/6/93. Type ? for help. "/var/spool/mail/testuser": 1 message 1 new >N 1 root Thu Nov 12 12:25 30/960 "Cron <testuser@test> /" & 1 Message 1: From testuser Thu Nov 12 12:25:01 2009 Date: Thu, 12 Nov 2009 12:25:01 -0600 From: root (Cron Daemon) To: testuser Subject: Cron <testuser@test> /etc/cron.hourly/callenv.cron Content-Type: text/plain; charset=UTF-8 Auto-Submitted: auto-generated X-Cron-Env: <SHELL=/bin/sh> X-Cron-Env: <HOME=/home/testuser> X-Cron-Env: <PATH=/usr/bin:/bin> X-Cron-Env: <LOGNAME=testuser> X-Cron-Env: <USER=testuser> SHELL=/bin/sh USER=testuser PATH=/usr/bin:/bin _=/usr/bin/env PWD=/home/testuser HOME=/home/testuser SHLVL=2 LOGNAME=testuser Actual results: FLEGMATE is not defined in the cron script Expected results: FLEGMATE is defined in the cron script Additional info: It's needed that 'auth required' is replaced by 'session required'. But, it's not enough for this issue. There is a problem in cron_set_job_security_context() of security.c. ----------------------- int cron_set_job_security_context( entry *e, user *u, char ***jobenv ) { ... if ( cron_open_security_session( e->pwd ) != 0 ) { syslog(LOG_INFO, "CRON (%s) ERROR: failed to open PAM security session: %s", e->pwd->pw_name, strerror(errno) ); return -1; } *jobenv = build_env( e->envp ); ... if ( cron_get_job_range(u, &ucontext, *jobenv) < OK ) ... if ( cron_start_security_session( e->pwd ) != 0 ) { syslog(LOG_INFO, "CRON (%s) ERROR: failed to open PAM security session: %s", e->pwd->pw_name, strerror(errno) ); return -1; } ----------------------- The env variables are configured in build_env(). On the other hand, the variables defined in /etc/security/pam_env.conf are read in cron_start_security_session(). This means that build_env() is executed before cron_start_security_session(). As the result, the env variables read in cron_start_security_session are not reflected. Clearly, the execution of build_env() needs to be after cron_start_security_session(). jobenv is used in cron_get_job_range(), so we cannot remove build_env(). I created a patch. This patch executes build_env() twice in cron_set_job_security_context() and changes crond.pam. Thanks, Masahiro