Description of problem: cron does not implement environment variables set in /etc/security/pam_env.conf. The file /etc/pam.d/crond has pam_env.so as required for auth, not for session. The cron man page says: PAM Access Control On Red Hat systems, crond now supports access control with PAM - see pam(8). A PAM configuration file for crond is installed in /etc/pam.d/crond. crond loads the PAM environment from the pam_env module, but these can be overriden by settings in the crontab file. Version-Release number of selected component (if applicable): vixie-cron-4.1-76.el5-x86_64 How reproducible: Always Steps to Reproduce: 1) create a file /etc/cron.hourly/callenv.cron containing env printenv FLEGMATE echo $FLEGMATE 2) added to /etc/security/pam_env.conf: FLEGMATE DEFAULT="one" OVERRIDE="two" 3) log out and login to make sure FLEGMATE is part of env # printenv FLEGMATE two 4) Created crontab with crontab -e 00 * * * * /etc/cron.hourly/callenv.cron 05 * * * * /etc/cron.hourly/callenv.cron 10 * * * * /etc/cron.hourly/callenv.cron 15 * * * * /etc/cron.hourly/callenv.cron 25 * * * * /etc/cron.hourly/callenv.cron 35 * * * * /etc/cron.hourly/callenv.cron 45 * * * * /etc/cron.hourly/callenv.cron 55 * * * * /etc/cron.hourly/callenv.cron 5) The email from cron is as follows (FLEGMATE not present) # mail Mail version 8.1 6/6/93. Type ? for help. "/var/spool/mail/testuser": 1 message 1 new >N 1 root Thu Nov 12 12:25 30/960 "Cron <testuser@test> /" & 1 Message 1: From testuser Thu Nov 12 12:25:01 2009 Date: Thu, 12 Nov 2009 12:25:01 -0600 From: root (Cron Daemon) To: testuser Subject: Cron <testuser@test> /etc/cron.hourly/callenv.cron Content-Type: text/plain; charset=UTF-8 Auto-Submitted: auto-generated X-Cron-Env: <SHELL=/bin/sh> X-Cron-Env: <HOME=/home/testuser> X-Cron-Env: <PATH=/usr/bin:/bin> X-Cron-Env: <LOGNAME=testuser> X-Cron-Env: <USER=testuser> SHELL=/bin/sh USER=testuser PATH=/usr/bin:/bin _=/usr/bin/env PWD=/home/testuser HOME=/home/testuser SHLVL=2 LOGNAME=testuser Actual results: FLEGMATE is not defined in the cron script Expected results: FLEGMATE is defined in the cron script Additional info: It's needed that 'auth required' is replaced by 'session required'. But, it's not enough for this issue. There is a problem in cron_set_job_security_context() of security.c. ----------------------- int cron_set_job_security_context( entry *e, user *u, char ***jobenv ) { ... if ( cron_open_security_session( e->pwd ) != 0 ) { syslog(LOG_INFO, "CRON (%s) ERROR: failed to open PAM security session: %s", e->pwd->pw_name, strerror(errno) ); return -1; } *jobenv = build_env( e->envp ); ... if ( cron_get_job_range(u, &ucontext, *jobenv) < OK ) ... if ( cron_start_security_session( e->pwd ) != 0 ) { syslog(LOG_INFO, "CRON (%s) ERROR: failed to open PAM security session: %s", e->pwd->pw_name, strerror(errno) ); return -1; } ----------------------- The env variables are configured in build_env(). On the other hand, the variables defined in /etc/security/pam_env.conf are read in cron_start_security_session(). This means that build_env() is executed before cron_start_security_session(). As the result, the env variables read in cron_start_security_session are not reflected. Clearly, the execution of build_env() needs to be after cron_start_security_session(). jobenv is used in cron_get_job_range(), so we cannot remove build_env(). I created a patch. This patch executes build_env() twice in cron_set_job_security_context() and changes crond.pam. Thanks, Masahiro
Created attachment 373675 [details] proposed patch I confirmed that this issue was gone by this patch.
The patch isn't fully correct. I'm working on new one.
Created attachment 377461 [details] Building environment.
The correct pam configuration: auth sufficient pam_env.so auth required pam_rootok.so auth include system-auth account required pam_access.so account include system-auth session required pam_loginuid.so session include system-auth It was tested with the new patch and this pam configuration.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2012-0304.html