LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Could not open PAM session (https://www.linuxquestions.org/questions/linux-security-4/could-not-open-pam-session-739940/)

JZL240I-U 07-14-2009 03:37 AM
Could not open PAM session
 
This is what I get in /var/log/messages for a (f)cron job:
Code:
Jul  8 12:35:11 wodenhof fcron[4422]: Could not open PAM session for '/home/Nicht-SuSE/smartmon/HDtemp.sh': Cannot make/remove an entry for the specified session
Jul  8 12:35:11 wodenhof fcron[4422]: Job '/home/Nicht-SuSE/smartmon/HDtemp.sh' has *not* run.
Jul  8 12:35:11 wodenhof fcron[1650]: read_write_pipe(): read/write returned 0: retrying... (size: 4, size_processed: 0, num_retry: 1): Success
Jul  8 12:35:11 wodenhof fcron[1650]: read_write_pipe(): read/write returned 0: retrying... (size: 4, size_processed: 0, num_retry: 2): Success
Jul  8 12:35:12 wodenhof fcron[1650]: read_write_pipe(): read/write returned 0: retrying... (size: 4, size_processed: 0, num_retry: 3): Success
Jul  8 12:35:13 wodenhof fcron[1650]: Could not read job pid because of closed pipe: setting it to -1
I don't really understand what it means and so I have no idea how to rectify the situation. The job(s) ran some time ago and I don't really remember changing anything in the system. Any ideas?

anomie 07-14-2009 05:56 PM
What OS? Off the top of my head: 1) it could be that your /etc/pam.d/crond rules are malformed (are other cronjobs working?); 2) it could be that you - or your OS - have enabled access control for cron via pam_access, and you're operating outside of the rules' requirements.

JZL240I-U 07-17-2009 03:16 AM
Hmm, that's rather complicated to understand. First, its SuSE 11.0 as stated in my user panel. AFAIK cron jobs (like beagle, updatedb...) are running. I can start the job (script) by hand and it works. I'll post the rules as soon as I get to that box.

This is fcron (http://fcron.free.fr/) which works with pam. How do I find out the rules' requirements?

anomie 07-17-2009 02:25 PM
The default access list file should be noted in the manpages for pam_access(8). But I think I was barking up the wrong tree with that idea.

-------

A quick google for your error message turned up a couple illuminating hits:
I'd be curious to see the contents of your /etc/pam.d/crond file, but even then may be unable to help. It might be worthwhile to track down and search Suse's bug db for other users reporting the same problem (presuming you are using a default configuration, and haven't been tinkering with PAM).

JZL240I-U 07-20-2009 04:43 AM
Quote:
Originally Posted by anomie (Post 3611061)
The default access list file should be noted in the manpages for pam_access(8). ...
Please keep in mind that I am a newbie, for all my 2300+ posts here (mostly questions to learn). I'll have a look what my access.conf says, I just learned about its existence from you, thanks for the hint.

As for the links you provided, what kernel.org says is not pertinent since fcron worked for some time, so I'd hazard the guess, that the #define pragma is correctly set. The second link hints at an error in pam, I'll have to look at the SuSE site to find out whether it's the same here. The pam_permit.so situation according to my /etc/pam.d/fcron file:
Code:
#
# The PAM configuration file for fcron daemon
#
account          required    pam_unix.so
# Warning : fcron has no way to prompt user for a fcron account !
auth        required    pam_permit.so
#auth      required    pam_unix.so nullok
#auth      required    pam_env.so
account          required    pam_permit.so
#account    required    pam_unix.so
#
# The PAM configuration file for the cron daemon
#
#
#auth    sufficient    pam_rootok.so
#auth    include        common-auth
#account  include        common-account
#password include        common-password
#session  required      pam_loginuid.so
#session  include        commons ession
Seems not to be the reason either.


Quote:
Originally Posted by anomie (Post 3611061)
...and haven't been tinkering with PAM).
I certainly have not.

Thanks for your help.

JZL240I-U 07-21-2009 06:17 AM
Okay, access.conf had comments only in its entire body. I appended
Code:
+ : fcron : NONE
to no avail. What can you suggest now?

I also had a look at /var/lock/subsys/fcron. it is empty (0 Bytes) with rw-r--r-- permissions and root as owner and group. That of any help?

anomie 07-21-2009 11:38 AM
Your access.conf should read (to allow all and eliminate it as a possible cause):
Code:
+ : ALL : ALL
I believe that is its default anyway, in the absence of any instructions.

The original problem -
Code:
Jul  8 12:35:11 wodenhof fcron[4422]: Could not open PAM session for '/home/Nicht-SuSE/smartmon/HDtemp.sh': Cannot make/remove an entry for the specified session
- doesn't seem related to pam_access, though. I was probably mistaken in pursuing that lead.

Read this manpage (from the fcrontab project site): http://fcron.free.fr/doc/en/fcrontab.1.html

Perhaps you need to add your username (or "all") to /usr/local/etc/fcron.allow?

I would highly recommend again that you try to track this down in Suse's bug db, wherever that may be. If you haven't made changes to your default configuration, then surely others are running into the same issue.

JZL240I-U 07-23-2009 03:41 AM
Quote:
Originally Posted by anomie (Post 3615382)
...doesn't seem related to pam_access, though. I was probably mistaken in pursuing that lead.
Nope. See below.

Quote:
Originally Posted by anomie (Post 3615382)
...I would highly recommend again that you try to track this down in SuSE's bug db ...
Yeah, right. Sorry I didn't pursue this at once. There is no known bug though, but SuSE follows some roundabout way over which I stumbled. Here is my /etc/pam.d/fcron file:
Code:
#
# The PAM configuration file for fcron daemon
#
#account          required    common-account
#account          required    pam_unix2.so
#account          required    pam_unix.so
# Warning : fcron has no way to prompt user for a fcron account !
#auth      required    pam_env.so 
#auth      required    pam_unix2.so
#auth      required    common-auth
#auth      required    pam_permit.so
#auth      required    pam_unix.so nullok
#auth      required    pam_env.so
account          required    pam_permit.so
#account    required    pam_unix.so
#
# The PAM configuration file for the cron daemon
#
#
auth    sufficient    pam_rootok.so
auth    include        common-auth
account  include        common-account
password include        common-password
session  required      pam_loginuid.so
session  include        common-session
You'll notice all my attempts in the now commented part of the file. I just copied the cron.d file over and 2 minutes later the first backup job ran. Pffff....

The include statements refer to files like this:
Code:
#%PAM-1.0
#
# This file is autogenerated by pam-config. All changes
# will be overwritten.
#
# Account-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the accountorization modules that define
# the central access policy for use on the system.  The default is to
# only deny service to users whose accounts are expired.
#
account    required    pam_unix2.so
So I might have adapted the fcron part accordingly. I just was too happy to have things up and running, so I left everything just the way it was even if it should be too many pam modules.


All times are GMT -5. The time now is 02:59 AM.