802511 – crontab commands fail because of pam configuration

Bug 802511 - crontab commands fail because of pam configuration

Summary: crontab commands fail because of pam configuration

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	vixie-cron
Sub Component:
Version:	5.8
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Marcela Mašláňová
QA Contact:	qe-baseos-daemons
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-03-12 17:29 UTC by Alan Mikolajczuk
Modified:	2012-03-13 13:45 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-03-13 13:37:11 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
/etc/environment (7 bytes, text/plain) 2012-03-13 11:56 UTC, Alan Mikolajczuk	no flags	Details
/etc/pam.d/system-auth-local (1003 bytes, text/plain) 2012-03-13 11:58 UTC, Alan Mikolajczuk	no flags	Details
View All

Description Alan Mikolajczuk 2012-03-12 17:29:06 UTC

Description of problem:
if /etc/environment contains "mesg n" or "mesg -n" then all crontab commands run as root will fail indicating that root is not allowed to access crontab because of the pam configuration

  - selinux is permisive
  - default /etc/pam.d/crond file
  - custom /etc/pam.d/system-auth file
  - cron.allow contains root

I believe that this is issue is being caused by BZ#249512

Version-Release number of selected component (if applicable):
vixie-cron-4.1-81.el5

How reproducible:


Steps to Reproduce:
1. # crontab -l
2.
3.
  
Actual results:
Bad Item Passed to pam_*_item()
you (root)are not allowed to access to (crontab) because of pam configuration 

Expected results:
scheduled jobs displayed

Additional info:
The DISA checklist for Unix/RHEL5 requires that "mesg n" or "mesg -n" be in /etc/environment. See V-825 or GEN001780.

Comment 1 Tomas Mraz 2012-03-13 11:12:09 UTC

Can you please attach the contents of your /etc/environment and /etc/pam.d/system-auth ?

Comment 2 Alan Mikolajczuk 2012-03-13 11:56:02 UTC

Created attachment 569657 [details]
/etc/environment

Comment 3 Alan Mikolajczuk 2012-03-13 11:58:07 UTC

Created attachment 569659 [details]
/etc/pam.d/system-auth-local

The default symbolic link of system-auth pointing to system-ayth-ac was removed and replaced with system-auth pointing to system-auth-local.

Comment 4 Tomas Mraz 2012-03-13 13:37:11 UTC

Either drop the nonsensical 'mesg n' from the /etc/environment or change pam_env line in system-auth to be:

auth        [default=ignore]      pam_env.so

The /etc/environment is not read by anything else than pam_env nowadays and it does not make any sense to put there lines that are not in the name=value syntax. Basically your /etc/environment is broken and if DISA checklist explicitly mentions adding 'mesg n' to it, then it should be corrected.

Comment 5 Alan Mikolajczuk 2012-03-13 13:45:10 UTC

(In reply to comment #4)
> Either drop the nonsensical 'mesg n' from the /etc/environment or change
> pam_env line in system-auth to be:
> 
> auth        [default=ignore]      pam_env.so
> 
> The /etc/environment is not read by anything else than pam_env nowadays and it
> does not make any sense to put there lines that are not in the name=value
> syntax. Basically your /etc/environment is broken and if DISA checklist
> explicitly mentions adding 'mesg n' to it, then it should be corrected.

Thank you.

Note You need to log in before you can comment on or make changes to this bug.