Results 1 to 4 of 4

Thread: Cron job 'permission denied'

  1. #1

    Default Cron job 'permission denied'

    Hi,


    After an upgrade to opensuse 11.3 from 11.2 it turns out that cron uses pam for authentication. Now I have one user 'mythtv' which does not have a login and is not part of the 'users' group. This user is being denied access (permission denied messages in /var/log/messages from crond).

    Now, I have been experimenting with the /etc/pam.d/crond config file. I wanted to use the pam_listfile module to grant access to this specific user without authentication. That however didn't work and I have now narrowed down the problem even more.

    When I use this for my crond file
    Code:
    auth sufficient pam_rootok.so
    auth sufficinet pam_permit.so
    I still get messages in /var/log/messages like this:

    Code:
    Jan  5 13:05:01 shikra /usr/sbin/cron[11243]: pam_warn(crond:account): function=[pam_sm_acct_mgmt] service=[crond] terminal=[cron] user=[mythtv] ruser=[<unknown>] rhost=[<unknown>]
    I even tried removing the first entry in crond for pam_rootok.so
    and in that case even cron jobs from the root user fail. This is strange as pam_permit.so should allow access no matter what.

    What could be the problem here?

    Cheers
    Erik

  2. #2

    Default Re: Cron job 'permission denied'

    I have solved the problem. The idea was to use non-authenticated access so I had to use 'account' instead of 'auth' in the pam config file.

    My crond config file now looks like this:
    Code:
    #
    # The PAM configuration file for the cron daemon
    #
    #
    auth     sufficient     pam_rootok.so
    account  sufficient     pam_listfile.so item=user sense=allow file=/etc/cron.allow onerr=succeed
    #account   sufficient     pam_permit.so
    auth     include        common-auth
    account  include        common-account
    password include        common-password
    session  required       pam_loginuid.so
    session  include        common-session
    The only line added here is the pam_listfile.so rule. This one grants access to all users defined in the /etc/cron.allow file. I have added the mythtv user to that file and now my cron jobs are working again.

    Perhaps this extension would be useful to add in the standard distribution (or something like it) as it allows a bit more control over cron and is more in line with how it used to work.

    Cheers
    Erik

  3. #3

    Default Re: Cron job 'permission denied'

    In fact, a similar issue occurs with mailman so I had to add the user to the /etc/cron.allow file as well.

    Also filed a bug for this: https://bugzilla.novell.com/show_bug.cgi?id=662433

  4. #4
    Join Date
    Jun 2008
    Location
    Earth - Denmark
    Posts
    10,730

    Default Re: Cron job 'permission denied'

    ErikEngerd wrote:

    > Also filed a bug


    good work!
    thanks for following through with the solution AND the bug!!

    --
    DenverD
    CAVEAT: http://is.gd/bpoMD [posted via NNTP w/openSUSE 10.3]
    Programming: a race between software engineers building bigger/better
    idiot-proof programs, and the universe building bigger/better idiots.
    So far, the universe is winning. Rick Cook

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •