Cron job 'permission denied'

Hi,

After an upgrade to opensuse 11.3 from 11.2 it turns out that cron uses pam for authentication. Now I have one user ‘mythtv’ which does not have a login and is not part of the ‘users’ group. This user is being denied access (permission denied messages in /var/log/messages from crond).

Now, I have been experimenting with the /etc/pam.d/crond config file. I wanted to use the pam_listfile module to grant access to this specific user without authentication. That however didn’t work and I have now narrowed down the problem even more.

When I use this for my crond file


auth sufficient pam_rootok.so
auth sufficinet pam_permit.so

I still get messages in /var/log/messages like this:


Jan  5 13:05:01 shikra /usr/sbin/cron[11243]: pam_warn(crond:account): function=[pam_sm_acct_mgmt] service=[crond] terminal=[cron] user=[mythtv] ruser=<unknown>] rhost=<unknown>]

I even tried removing the first entry in crond for pam_rootok.so
and in that case even cron jobs from the root user fail. This is strange as pam_permit.so should allow access no matter what.

What could be the problem here?

Cheers
Erik

I have solved the problem. The idea was to use non-authenticated access so I had to use ‘account’ instead of ‘auth’ in the pam config file.

My crond config file now looks like this:


#
# The PAM configuration file for the cron daemon
#
#
auth     sufficient     pam_rootok.so
account  sufficient     pam_listfile.so item=user sense=allow file=/etc/cron.allow onerr=succeed
#account   sufficient     pam_permit.so
auth     include        common-auth
account  include        common-account
password include        common-password
session  required       pam_loginuid.so
session  include        common-session

The only line added here is the pam_listfile.so rule. This one grants access to all users defined in the /etc/cron.allow file. I have added the mythtv user to that file and now my cron jobs are working again.

Perhaps this extension would be useful to add in the standard distribution (or something like it) as it allows a bit more control over cron and is more in line with how it used to work.

Cheers
Erik

In fact, a similar issue occurs with mailman so I had to add the user to the /etc/cron.allow file as well.

Also filed a bug for this: https://bugzilla.novell.com/show_bug.cgi?id=662433

ErikEngerd wrote:

> Also filed a bug

good work!
thanks for following through with the solution AND the bug!!


DenverD
CAVEAT: http://is.gd/bpoMD [posted via NNTP w/openSUSE 10.3]
Programming: a race between software engineers building bigger/better
idiot-proof programs, and the universe building bigger/better idiots.
So far, the universe is winning. Rick Cook