Bug 802511 - crontab commands fail because of pam configuration
crontab commands fail because of pam configuration
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: vixie-cron (Show other bugs)
5.8
x86_64 Linux
unspecified Severity medium
: rc
: ---
Assigned To: Marcela Mašláňová
qe-baseos-daemons
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-03-12 13:29 EDT by Alan Mikolajczuk
Modified: 2012-03-13 09:45 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-03-13 09:37:11 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
/etc/environment (7 bytes, text/plain)
2012-03-13 07:56 EDT, Alan Mikolajczuk
no flags Details
/etc/pam.d/system-auth-local (1003 bytes, text/plain)
2012-03-13 07:58 EDT, Alan Mikolajczuk
no flags Details

  None (edit)
Description Alan Mikolajczuk 2012-03-12 13:29:06 EDT
Description of problem:
if /etc/environment contains "mesg n" or "mesg -n" then all crontab commands run as root will fail indicating that root is not allowed to access crontab because of the pam configuration

  - selinux is permisive
  - default /etc/pam.d/crond file
  - custom /etc/pam.d/system-auth file
  - cron.allow contains root

I believe that this is issue is being caused by BZ#249512

Version-Release number of selected component (if applicable):
vixie-cron-4.1-81.el5

How reproducible:


Steps to Reproduce:
1. # crontab -l
2.
3.
  
Actual results:
Bad Item Passed to pam_*_item()
you (root)are not allowed to access to (crontab) because of pam configuration 

Expected results:
scheduled jobs displayed

Additional info:
The DISA checklist for Unix/RHEL5 requires that "mesg n" or "mesg -n" be in /etc/environment. See V-825 or GEN001780.
Comment 1 Tomas Mraz 2012-03-13 07:12:09 EDT
Can you please attach the contents of your /etc/environment and /etc/pam.d/system-auth ?
Comment 2 Alan Mikolajczuk 2012-03-13 07:56:02 EDT
Created attachment 569657 [details]
/etc/environment
Comment 3 Alan Mikolajczuk 2012-03-13 07:58:07 EDT
Created attachment 569659 [details]
/etc/pam.d/system-auth-local

The default symbolic link of system-auth pointing to system-ayth-ac was removed and replaced with system-auth pointing to system-auth-local.
Comment 4 Tomas Mraz 2012-03-13 09:37:11 EDT
Either drop the nonsensical 'mesg n' from the /etc/environment or change pam_env line in system-auth to be:

auth        [default=ignore]      pam_env.so

The /etc/environment is not read by anything else than pam_env nowadays and it does not make any sense to put there lines that are not in the name=value syntax. Basically your /etc/environment is broken and if DISA checklist explicitly mentions adding 'mesg n' to it, then it should be corrected.
Comment 5 Alan Mikolajczuk 2012-03-13 09:45:10 EDT
(In reply to comment #4)
> Either drop the nonsensical 'mesg n' from the /etc/environment or change
> pam_env line in system-auth to be:
> 
> auth        [default=ignore]      pam_env.so
> 
> The /etc/environment is not read by anything else than pam_env nowadays and it
> does not make any sense to put there lines that are not in the name=value
> syntax. Basically your /etc/environment is broken and if DISA checklist
> explicitly mentions adding 'mesg n' to it, then it should be corrected.

Thank you.

Note You need to log in before you can comment on or make changes to this bug.