Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 163882 - cron fails with pam_access
Summary: cron fails with pam_access
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: vixie-cron
Version: 4.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
: ---
Assignee: Jason Vas Dias
QA Contact: Brock Organ
URL:
Whiteboard:
Depends On: 146073
Blocks: 156322
TreeView+ depends on / blocked
 
Reported: 2005-07-21 19:28 UTC by Jason Vas Dias
Modified: 2007-11-30 22:07 UTC (History)
3 users (show)

Fixed In Version: RHSA-2005-361
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-10-05 12:34:59 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2005:361 qe-ready SHIPPED_LIVE Low: vixie-cron security update 2005-10-05 04:00:00 UTC

Description Jason Vas Dias 2005-07-21 19:28:39 UTC
+++ This bug was initially created as a clone of Bug #146073 +++

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.3)
Gecko/20041020

Description of problem:
When using the pam_access module, cron fails for user jobs.  In
particular, this shows up in the logs every time the cronjob should run:

pam_access[6093]: couldn't get the tty name
crond[6093]: Critical error - immediate abort

pam_access is enabled by (for example) adding the following to
/etc/pam.d/system_auth:
account     required      /lib/security/$ISA/pam_access.so
This causes the rules in /etc/security/access.conf will be enforced.

A google search turned up the issue, along with a possible resolution,
in debian linux: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=254845

Version-Release number of selected component (if applicable):
vixie-cron-4.1-20_FC3

How reproducible:
Always

Steps to Reproduce:
1. add "account required /lib/security/$ISA/pam_access.so" to
/etc/pam.d/system_auth
2. create a cronjob for a user
3. wait ;)
    

Actual Results:  The error is logged in /var/log/messages.

Expected Results:  The cronjob should have run.

Additional info:

Comment 1 Jason Vas Dias 2005-07-21 20:53:02 UTC
Fixed for bug 146073 with vixie-cron-4.1-36.EL4 

Comment 6 Red Hat Bugzilla 2005-10-05 12:34:59 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-361.html


Comment 7 Joost Soeterbroek 2005-10-12 07:46:34 UTC
2 questions:

* I was under the impression that the bug is really in the pam_access module, 
so I was expecting a bugfix for PAM rather than vixie-cron. Is this a cron fix 
or a PAM fix?
* This bug applies to RHEL3 also, will there be a bugfix/erratum for RHEL3 too?

Comment 8 Jason Vas Dias 2005-10-12 15:45:12 UTC
RE: Comment #7:
> * I was under the impression that the bug is really in the pam_access module, 
> so I was expecting a bugfix for PAM rather than vixie-cron. Is this a cron fix 
> or a PAM fix?

No PAM fix was required - crond was not setting the 'PAM_TTY' item, which is
required by the pam_access module.

> * This bug applies to RHEL3 also, will there be a bugfix/erratum for 
> RHEL3 too?

No, the latest supported cron for RHEL-3 is vixie-cron-3.0.1-76_EL3, which 
has no PAM support.

There is a vixie-cron-4.1 version for RHEL-3, which does have PAM support and
in which this problem is also fixed, available from:
  http://people.redhat.com/~jvdias/cron/RHEL-3/4.1-8.EL3

Comment 9 Aleksey Nogin 2005-10-23 22:30:28 UTC
Is there a reason why vixie-cron-4.1-36.EL4 have shipped with pam_access in the
default /etc/pam.d/crond? This does not seem right - if people have a
/etc/security/access.conf set up to something nontrivial, the pam_access in
/etc/pam.d/crond could have very strange effects for them.

P.S. The issue of whether pam_access should tolerate an unset tty is raised in
bug 170467.


Note You need to log in before you can comment on or make changes to this bug.