Bug 541189 - cron and /etc/security/pam_env.conf problem
cron and /etc/security/pam_env.conf problem
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: vixie-cron (Show other bugs)
5.4
All Linux
urgent Severity urgent
: rc
: ---
Assigned To: Marcela Mašláňová
qe-baseos-daemons
: ZStream
Depends On:
Blocks: 502912 546568
  Show dependency treegraph
 
Reported: 2009-11-25 02:15 EST by Masahiro Matsuya
Modified: 2013-01-10 21:37 EST (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-02-20 22:13:33 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
proposed patch (1.10 KB, patch)
2009-11-25 02:18 EST, Masahiro Matsuya
no flags Details | Diff
Building environment. (818 bytes, application/octet-stream)
2009-12-10 09:40 EST, Marcela Mašláňová
no flags Details

  None (edit)
Description Masahiro Matsuya 2009-11-25 02:15:57 EST
Description of problem:

 cron does not implement environment variables set in /etc/security/pam_env.conf. 
 The file /etc/pam.d/crond has pam_env.so as required for auth, not for session.

 The cron man page says:
 
    PAM Access Control
    On Red Hat systems, crond now supports access control with PAM  -  see
    pam(8).    A PAM   configuration  file  for crond  is installed  in
    /etc/pam.d/crond.  crond loads the PAM  environment  from  the pam_env
    module, but these can be overriden by settings in the crontab file.

Version-Release number of selected component (if applicable):

  vixie-cron-4.1-76.el5-x86_64

How reproducible:

  Always

Steps to Reproduce:

  1) create a file /etc/cron.hourly/callenv.cron containing

   env
   printenv FLEGMATE
   echo $FLEGMATE
 
  2) added to /etc/security/pam_env.conf:
 
   FLEGMATE  DEFAULT="one"   OVERRIDE="two"

  3) log out and login to make sure FLEGMATE is part of env

   # printenv FLEGMATE
   two

  4)   Created crontab with crontab -e
 
   00 * * * *  /etc/cron.hourly/callenv.cron
   05 * * * *  /etc/cron.hourly/callenv.cron
   10 * * * *  /etc/cron.hourly/callenv.cron
   15 * * * *  /etc/cron.hourly/callenv.cron
   25 * * * *  /etc/cron.hourly/callenv.cron
   35 * * * *  /etc/cron.hourly/callenv.cron
   45 * * * *  /etc/cron.hourly/callenv.cron
   55 * * * *  /etc/cron.hourly/callenv.cron

  5) The email from cron is as follows (FLEGMATE not present)

  # mail
  Mail version 8.1 6/6/93.  Type ? for help.
  "/var/spool/mail/testuser": 1 message 1 new
  >N  1 root@test.net  Thu Nov 12 12:25  30/960   "Cron <testuser@test> /"
  & 1
  Message 1:
  From testuser@test.net  Thu Nov 12 12:25:01 2009
  Date: Thu, 12 Nov 2009 12:25:01 -0600
  From: root@test.net (Cron Daemon)
  To: testuser@test.net
  Subject: Cron <testuser@test> /etc/cron.hourly/callenv.cron
  Content-Type: text/plain; charset=UTF-8
  Auto-Submitted: auto-generated
  X-Cron-Env: <SHELL=/bin/sh>
  X-Cron-Env: <HOME=/home/testuser>
  X-Cron-Env: <PATH=/usr/bin:/bin>
  X-Cron-Env: <LOGNAME=testuser>
  X-Cron-Env: <USER=testuser>
  
  SHELL=/bin/sh
  USER=testuser
  PATH=/usr/bin:/bin
  _=/usr/bin/env
  PWD=/home/testuser
  HOME=/home/testuser
  SHLVL=2
  LOGNAME=testuser

Actual results:

  FLEGMATE is not defined in the cron script

Expected results:

  FLEGMATE is defined in the cron script

Additional info:

It's needed that 'auth required' is replaced by 'session required'. But, it's not enough for this issue.

There is a problem in cron_set_job_security_context() of security.c.

-----------------------
int cron_set_job_security_context( entry *e, user *u, char ***jobenv )
{
   ...
   if ( cron_open_security_session( e->pwd ) != 0 )
   {
       syslog(LOG_INFO, "CRON (%s) ERROR: failed to open PAM security session: %s",
              e->pwd->pw_name, strerror(errno)
             );
       return -1;
   }

   *jobenv = build_env( e->envp );
  
   ...
   if ( cron_get_job_range(u, &ucontext, *jobenv) < OK )
   ...

   if ( cron_start_security_session( e->pwd ) != 0 )
   {
       syslog(LOG_INFO, "CRON (%s) ERROR: failed to open PAM security session: %s",
              e->pwd->pw_name, strerror(errno)
             );
       return -1;
   }
-----------------------

The env variables are configured in build_env(). On the other hand, the variables defined in /etc/security/pam_env.conf are read in cron_start_security_session(). This means that build_env() is executed before cron_start_security_session(). As the result, the env variables read in cron_start_security_session are not reflected. Clearly, the execution of build_env() needs to be after cron_start_security_session().
jobenv is used in cron_get_job_range(), so we cannot remove build_env().

I created a patch. This patch executes build_env() twice in cron_set_job_security_context() and changes crond.pam.

Thanks,

Masahiro
Comment 1 Masahiro Matsuya 2009-11-25 02:18:41 EST
Created attachment 373675 [details]
proposed patch

I confirmed that this issue was gone by this patch.
Comment 5 Marcela Mašláňová 2009-12-10 05:16:07 EST
The patch isn't fully correct. I'm working on new one.
Comment 6 Marcela Mašláňová 2009-12-10 09:40:22 EST
Created attachment 377461 [details]
Building environment.
Comment 7 Marcela Mašláňová 2009-12-10 09:42:28 EST
The correct pam configuration:
auth       sufficient pam_env.so
auth       required   pam_rootok.so
auth       include    system-auth
account    required   pam_access.so
account    include    system-auth
session    required   pam_loginuid.so
session    include    system-auth

It was tested with the new patch and this pam configuration.
Comment 20 errata-xmlrpc 2012-02-20 22:13:33 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2012-0304.html

Note You need to log in before you can comment on or make changes to this bug.