Cron job 'permission denied'


After an upgrade to opensuse 11.3 from 11.2 it turns out that cron uses pam for authentication. Now I have one user ‘mythtv’ which does not have a login and is not part of the ‘users’ group. This user is being denied access (permission denied messages in /var/log/messages from crond).

Now, I have been experimenting with the /etc/pam.d/crond config file. I wanted to use the pam_listfile module to grant access to this specific user without authentication. That however didn’t work and I have now narrowed down the problem even more.

When I use this for my crond file

auth sufficient
auth sufficinet

I still get messages in /var/log/messages like this:

Jan  5 13:05:01 shikra /usr/sbin/cron[11243]: pam_warn(crond:account): function=[pam_sm_acct_mgmt] service=[crond] terminal=[cron] user=[mythtv] ruser=<unknown>] rhost=<unknown>]

I even tried removing the first entry in crond for
and in that case even cron jobs from the root user fail. This is strange as should allow access no matter what.

What could be the problem here?


I have solved the problem. The idea was to use non-authenticated access so I had to use ‘account’ instead of ‘auth’ in the pam config file.

My crond config file now looks like this:

# The PAM configuration file for the cron daemon
auth     sufficient
account  sufficient item=user sense=allow file=/etc/cron.allow onerr=succeed
#account   sufficient
auth     include        common-auth
account  include        common-account
password include        common-password
session  required
session  include        common-session

The only line added here is the rule. This one grants access to all users defined in the /etc/cron.allow file. I have added the mythtv user to that file and now my cron jobs are working again.

Perhaps this extension would be useful to add in the standard distribution (or something like it) as it allows a bit more control over cron and is more in line with how it used to work.


In fact, a similar issue occurs with mailman so I had to add the user to the /etc/cron.allow file as well.

Also filed a bug for this:

ErikEngerd wrote:

> Also filed a bug

good work!
thanks for following through with the solution AND the bug!!

CAVEAT: [posted via NNTP w/openSUSE 10.3]
Programming: a race between software engineers building bigger/better
idiot-proof programs, and the universe building bigger/better idiots.
So far, the universe is winning. Rick Cook