Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: openSuSE Tumbleweed-KDE, Mint 21, MX-21, Manjaro
Posts: 4,629
Rep:
Could not open PAM session
This is what I get in /var/log/messages for a (f)cron job:
Code:
Jul 8 12:35:11 wodenhof fcron[4422]: Could not open PAM session for '/home/Nicht-SuSE/smartmon/HDtemp.sh': Cannot make/remove an entry for the specified session
Jul 8 12:35:11 wodenhof fcron[4422]: Job '/home/Nicht-SuSE/smartmon/HDtemp.sh' has *not* run.
Jul 8 12:35:11 wodenhof fcron[1650]: read_write_pipe(): read/write returned 0: retrying... (size: 4, size_processed: 0, num_retry: 1): Success
Jul 8 12:35:11 wodenhof fcron[1650]: read_write_pipe(): read/write returned 0: retrying... (size: 4, size_processed: 0, num_retry: 2): Success
Jul 8 12:35:12 wodenhof fcron[1650]: read_write_pipe(): read/write returned 0: retrying... (size: 4, size_processed: 0, num_retry: 3): Success
Jul 8 12:35:13 wodenhof fcron[1650]: Could not read job pid because of closed pipe: setting it to -1
I don't really understand what it means and so I have no idea how to rectify the situation. The job(s) ran some time ago and I don't really remember changing anything in the system. Any ideas?
What OS? Off the top of my head: 1) it could be that your /etc/pam.d/crond rules are malformed (are other cronjobs working?); 2) it could be that you - or your OS - have enabled access control for cron via pam_access, and you're operating outside of the rules' requirements.
Distribution: openSuSE Tumbleweed-KDE, Mint 21, MX-21, Manjaro
Posts: 4,629
Original Poster
Rep:
Hmm, that's rather complicated to understand. First, its SuSE 11.0 as stated in my user panel. AFAIK cron jobs (like beagle, updatedb...) are running. I can start the job (script) by hand and it works. I'll post the rules as soon as I get to that box.
This is fcron (http://fcron.free.fr/) which works with pam. How do I find out the rules' requirements?
I'd be curious to see the contents of your /etc/pam.d/crond file, but even then may be unable to help. It might be worthwhile to track down and search Suse's bug db for other users reporting the same problem (presuming you are using a default configuration, and haven't been tinkering with PAM).
Distribution: openSuSE Tumbleweed-KDE, Mint 21, MX-21, Manjaro
Posts: 4,629
Original Poster
Rep:
Quote:
Originally Posted by anomie
The default access list file should be noted in the manpages for pam_access(8). ...
Please keep in mind that I am a newbie, for all my 2300+ posts here (mostly questions to learn). I'll have a look what my access.conf says, I just learned about its existence from you, thanks for the hint.
As for the links you provided, what kernel.org says is not pertinent since fcron worked for some time, so I'd hazard the guess, that the #define pragma is correctly set. The second link hints at an error in pam, I'll have to look at the SuSE site to find out whether it's the same here. The pam_permit.so situation according to my /etc/pam.d/fcron file:
Code:
#
# The PAM configuration file for fcron daemon
#
account required pam_unix.so
# Warning : fcron has no way to prompt user for a fcron account !
auth required pam_permit.so
#auth required pam_unix.so nullok
#auth required pam_env.so
account required pam_permit.so
#account required pam_unix.so
#
# The PAM configuration file for the cron daemon
#
#
#auth sufficient pam_rootok.so
#auth include common-auth
#account include common-account
#password include common-password
#session required pam_loginuid.so
#session include commons ession
Your access.conf should read (to allow all and eliminate it as a possible cause):
Code:
+ : ALL : ALL
I believe that is its default anyway, in the absence of any instructions.
The original problem -
Code:
Jul 8 12:35:11 wodenhof fcron[4422]: Could not open PAM session for '/home/Nicht-SuSE/smartmon/HDtemp.sh': Cannot make/remove an entry for the specified session
- doesn't seem related to pam_access, though. I was probably mistaken in pursuing that lead.
Perhaps you need to add your username (or "all") to /usr/local/etc/fcron.allow?
I would highly recommend again that you try to track this down in Suse's bug db, wherever that may be. If you haven't made changes to your default configuration, then surely others are running into the same issue.
Distribution: openSuSE Tumbleweed-KDE, Mint 21, MX-21, Manjaro
Posts: 4,629
Original Poster
Rep:
Quote:
Originally Posted by anomie
...doesn't seem related to pam_access, though. I was probably mistaken in pursuing that lead.
Nope. See below.
Quote:
Originally Posted by anomie
...I would highly recommend again that you try to track this down in SuSE's bug db ...
Yeah, right. Sorry I didn't pursue this at once. There is no known bug though, but SuSE follows some roundabout way over which I stumbled. Here is my /etc/pam.d/fcron file:
Code:
#
# The PAM configuration file for fcron daemon
#
#account required common-account
#account required pam_unix2.so
#account required pam_unix.so
# Warning : fcron has no way to prompt user for a fcron account !
#auth required pam_env.so
#auth required pam_unix2.so
#auth required common-auth
#auth required pam_permit.so
#auth required pam_unix.so nullok
#auth required pam_env.so
account required pam_permit.so
#account required pam_unix.so
#
# The PAM configuration file for the cron daemon
#
#
auth sufficient pam_rootok.so
auth include common-auth
account include common-account
password include common-password
session required pam_loginuid.so
session include common-session
You'll notice all my attempts in the now commented part of the file. I just copied the cron.d file over and 2 minutes later the first backup job ran. Pffff....
The include statements refer to files like this:
Code:
#%PAM-1.0
#
# This file is autogenerated by pam-config. All changes
# will be overwritten.
#
# Account-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the accountorization modules that define
# the central access policy for use on the system. The default is to
# only deny service to users whose accounts are expired.
#
account required pam_unix2.so
So I might have adapted the fcron part accordingly. I just was too happy to have things up and running, so I left everything just the way it was even if it should be too many pam modules.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
