Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 453097 - pam_listfile doesn't work for crond
Summary: pam_listfile doesn't work for crond
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: crontabs
Version: 5.2
Hardware: All
OS: Linux
low
low
Target Milestone: rc
: ---
Assignee: Marcela Mašláňová
QA Contact: Brock Organ
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-06-27 09:10 UTC by Qian Shen
Modified: 2015-10-26 01:54 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-06-27 15:02:48 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Qian Shen 2008-06-27 09:10:02 UTC
Description of problem:
I want to limit some users using crontab. I know /etc/cron.allow may do it, but
it doesn't take effect if a crontab task  already exist before this file is
created. So I try pam_listfile.so, but it seems  not take effect.

Version-Release number of selected component (if applicable):
RHEL5.2
vixie-cron-4.1-72.el5
pam-0.99.6.2-3.27.el5

How reproducible:

always reproducible

Steps to Reproduce:
1.create 2 users: user1,user2

2.add a cron task to both user1, user2
crontab -e: 
*/1 * * * * ls

3.in /etc/pam.d/crond, add this line:
auth      required   pam_listfile.so onerr=fail item=user sense=allow
file=/tmp/listfile
  
4.create /tmp/listfile, add user1 in it.

5. service crond restart

Actual results:

Both the cron task of  user1, user2 can be executed


Expected results:

Only user1's cron task can be executed, user2's task should not be executed.


Additional info:

Comment 1 Marcela Mašláňová 2008-06-27 15:02:48 UTC
You need at first line in /etc/pam.d/crond this:
account    required   pam_listfile.so onerr=fail item=user sense=allow
file=/tmp/listfile

It can't be working with auth.

Comment 2 Qian Shen 2008-06-30 01:37:29 UTC
Hi Marcela,

it's surprised that pam_listfile can't work with crond in auth. From man
pam_listfile, I get:
 
          #
          # deny ftp-access to users listed in the /etc/ftpusers file
          #
          auth    required       pam_listfile.so \
                  onerr=succeed item=user sense=deny file=/etc/ftpusers

So pam_listfile can work with ftp in auth. I don't know why pam_listfile can't
work with crond in auth?




Comment 3 Tomas Mraz 2008-06-30 07:13:35 UTC
Because crond doesn't use auth at all. As the cron jobs are running in the
background it makes no sense to call authentication functions - there would be
no way to supply a password to modules etc.



Note You need to log in before you can comment on or make changes to this bug.