LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 01-22-2014, 12:55 AM   #1
newbie14
Member
 
Registered: Sep 2011
Posts: 595

Rep: Reputation: Disabled
FAILED to authorize user with PAM (Permission denied)


Hi,
I run my logwatch and I saw a list of this entries

FAILED to authorize user with PAM (Permission denied)
I have actually run this command echo "root" > /etc/cron.allow and echo "myuser" >> /etc/cron.allow. What else I need to do to over come this error ?

Further below I have this.

Code:
**Unmatched Entries**
    crond: pam_access(crond:account): access denied for user `root' from `cron': 496 Time(s)
    groupadd: group added to /etc/group: name=apache, GID=48: 1 Time(s)
    groupadd: group added to /etc/group: name=mock, GID=135: 1 Time(s)
    groupadd: group added to /etc/group: name=mysql, GID=27: 1 Time(s)
    groupadd: group added to /etc/group: name=ossec, GID=498: 1 Time(s)
    groupadd: group added to /etc/gshadow: name=apache: 1 Time(s)
    groupadd: group added to /etc/gshadow: name=mock: 1 Time(s)
    groupadd: group added to /etc/gshadow: name=mysql: 1 Time(s)
    groupadd: group added to /etc/gshadow: name=ossec: 1 Time(s)
    useradd: add 'ossec' to group 'ossec': 1 Time(s)
    useradd: add 'ossec' to shadow group 'ossec': 1 Time(s)
    useradd: add 'ossece' to group 'ossec': 1 Time(s)
    useradd: add 'ossece' to shadow group 'ossec': 1 Time(s)
    useradd: add 'ossecm' to group 'ossec': 1 Time(s)
    useradd: add 'ossecm' to shadow group 'ossec': 1 Time(s)
    useradd: add 'ossecr' to group 'ossec': 1 Time(s)
    useradd: add 'ossecr' to shadow group 'ossec': 1 Time(s)
 
Old 01-22-2014, 10:35 AM   #2
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
Please post the contents of your current:
  • /etc/cron.allow
  • /etc/pam.d/crond (or /etc/pam.d/cron)

What OS / version? Is SELinux enabled? (You can check with the 'getenforce' command.)
 
Old 01-23-2014, 08:41 AM   #3
newbie14
Member
 
Registered: Sep 2011
Posts: 595

Original Poster
Rep: Reputation: Disabled
Dear Anomie,
The content of /etc/cron.allow is

Quote:
root
myuser
and /etc/pam.d/crond is

Quote:
#
# The PAM configuration file for the cron daemon
#
#
# No PAM authentication called, auth modules not needed
account required pam_access.so
account include password-auth
session required pam_loginuid.so
session include password-auth
auth include password-auth
The os is CentOS release 6.5 (Final) and getenforce is Enforcing (should I disable this)

Last edited by newbie14; 01-23-2014 at 08:47 AM.
 
Old 01-23-2014, 08:45 PM   #4
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
I suppose we can start by hitting it with a big stick. Yes, I'd disable SELinux (using setenforce, or modifying /etc/selinux/config and restarting the system).

If that solves the problem, this may be fixable by re-applying the "SELinux context", and then re-enabling it. If it doesn't solve the problem, we move on to the next most obvious causes.
 
Old 01-24-2014, 10:00 AM   #5
newbie14
Member
 
Registered: Sep 2011
Posts: 595

Original Poster
Rep: Reputation: Disabled
Dear Anomie,
I have adjusted /etc/selinux/config and disabled it and rebooted the system. How to check now whether its gone or not? I guess I will wait for one more day and then run the logwatch? Another thing can I determine which cron is having problem because it does not indicate clearly?
 
Old 01-24-2014, 11:07 AM   #6
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
First of all, check with 'getenforce' to confirm SELinux is really disabled.

Then keep an eye on the log (and watch for further errors), a la:
Code:
# tail -f /var/log/cron
 
Old 01-25-2014, 04:01 AM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,406
Blog Entries: 55

Rep: Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578
Quote:
Originally Posted by anomie View Post
I suppose we can start by hitting it with a big stick. Yes, I'd disable SELinux
...or you can first try the more efficient and subtle approach of checking /var/log/audit/ logs for clues ;-p
 
Old 01-25-2014, 07:59 AM   #8
newbie14
Member
 
Registered: Sep 2011
Posts: 595

Original Poster
Rep: Reputation: Disabled
Dear Anomie,
I tried this command and below is the output but what cron is this which run every 10 minutes from this log? I have confirmed this .
Quote:
getenforce
Disabled

Quote:
tail -f /var/log/cron
Jan 25 20:30:01 pro1 crond[10573]: (root) FAILED to authorize user with PAM (Permission denied)
Jan 25 20:40:01 pro1 crond[10606]: (root) FAILED to authorize user with PAM (Permission denied)
Jan 25 20:50:01 pro1 crond[11089]: (root) FAILED to authorize user with PAM (Permission denied)
Jan 25 21:00:01 pro1 crond[11366]: (root) FAILED to authorize user with PAM (Permission denied)
Jan 25 21:01:01 pro1 crond[11370]: (root) FAILED to authorize user with PAM (Permission denied)
Jan 25 21:10:01 pro1 crond[11398]: (root) FAILED to authorize user with PAM (Permission denied)
From unspawn suggestion I saw this lines. I am not too sure what is log representing but I can see it shows the success there.

Quote:
type=USER_ACCT msg=audit(1389171001.124:74352): user pid=21011 uid=0 auid=0 ses=3320 subj=unconfined_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_ACQ msg=audit(1389171001.124:74353): user pid=21011 uid=0 auid=0 ses=3320 subj=unconfined_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=LOGIN msg=audit(1389171001.124:74354): pid=21011 uid=0 subj=unconfined_u:system_r:crond_t:s0-s0:c0.c1023 old auid=0 new auid=0 old ses=3320 new ses=8614
type=USER_START msg=audit(1389171001.125:74355): user pid=21011 uid=0 auid=0 ses=8614 subj=unconfined_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_DISP msg=audit(1389171001.177:74356): user pid=21011 uid=0 auid=0 ses=8614 subj=unconfined_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=USER_END msg=audit(1389171001.177:74357): user pid=21011 uid=0 auid=0 ses=8614 subj=unconfined_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=USER_ACCT msg=audit(1389171601.183:74358): user pid=21030 uid=0 auid=0 ses=3320 subj=unconfined_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_ACQ msg=audit(1389171601.183:74359): user pid=21030 uid=0 auid=0 ses=3320 subj=unconfined_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=LOGIN msg=audit(1389171601.183:74360): pid=21030 uid=0 subj=unconfined_u:system_r:crond_t:s0-s0:c0.c1023 old auid=0 new auid=0 old ses=3320 new ses=8615
type=USER_START msg=audit(1389171601.183:74361): user pid=21030 uid=0 auid=0 ses=8615 subj=unconfined_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_DISP msg=audit(1389171601.242:74362): user pid=21030 uid=0 auid=0 ses=8615 subj=unconfined_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=USER_END msg=audit(1389171601.242:74363): user pid=21030 u
 
Old 01-25-2014, 09:26 PM   #9
newbie14
Member
 
Registered: Sep 2011
Posts: 595

Original Poster
Rep: Reputation: Disabled
Dear Unspawn,
Today my server totally got hang and could not be access could it be due to this problem or any other bug in the new kernel ?
 
Old 01-26-2014, 02:36 PM   #10
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,406
Blog Entries: 55

Rep: Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578
Quote:
Originally Posted by newbie14 View Post
I am not too sure what is log representing but I can see it shows the success there.
Only success so that can't be it. What does this show?:
Code:
grep "^+.*cron" /etc/security/access.conf

Quote:
Originally Posted by newbie14 View Post
Today my server totally got hang and could not be access could it be due to this problem or any other bug in the new kernel ?
You should know by now that we are not clairvoyant. So without any meaningful log file contents, terminal output or whatever else the system spits out we can not tell you anything.
 
Old 01-26-2014, 11:06 PM   #11
newbie14
Member
 
Registered: Sep 2011
Posts: 595

Original Poster
Rep: Reputation: Disabled
Dear Unspawn,
Below is my results.

Quote:
grep "^+.*cron" /etc/security/access.conf
+ : root : cron crond :0 tty1
+ : myuser : cron crond tty2
I have attached my /var/log/message. I don't really see any indication. If you notice I just extracted out the one previous output that is for Jan 24 23:48:02 when I reboot the server and one is yesterday Jan 26 10:52:23. Before this timestamp Jan 26 10:52:23 I don't see any record in log message to indicate any possible issue? What are the other log files I should be digging in ?
Attached Files
File Type: txt message1.txt (120.2 KB, 112 views)
 
Old 01-28-2014, 01:24 AM   #12
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,406
Blog Entries: 55

Rep: Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578
Cron line looks OK. Is this a new machine or the one we prepped earlier? If it is a new one (and provided the old one still works OK) I'd diff configs in /etc/ first with the old one. Also look for which cron job is set to fire approximately every ten minutes. If it is the old one then you should look into what changes you made between it ran OK and now. If it's a new machine and you're quite certain configs match the old setup then could you create a new unprivileged user, set a strong password, add the user to /etc/cron.allow and /etc/security/access.conf and test if a cron job for this user works / fails?
 
Old 01-28-2014, 03:56 AM   #13
newbie14
Member
 
Registered: Sep 2011
Posts: 595

Original Poster
Rep: Reputation: Disabled
Dear unSpawn,
No this is a new machine and I follow strictly all the 2 stages guide you gave me long time ago except for the Aide I replace it with Ossec. How to run the diff between 2 servers its a lot of servers settings right and I guess only manually can this be done? I tried both my user in my server crontab -e I gives me this error

Quote:
[root@pro1 ~]# crontab -e

Permission denied
You (root) are not allowed to access to (crontab) because of pam configuration.

[myuser@pro1 ~]$ crontab -e

Permission denied
You (myuser) are not allowed to access to (crontab) because of pam configuration.
I created a new user called mytest and I did both this echo "mytest" >> /etc/cron.allow amd edited the /etc/security/access.conf + : mytest : cron crond tty2. Finally I try to log in using the new user and crontab -e
same error.

Quote:
Permission denied
You (mytest) are not allowed to access to (crontab) because of pam configuration.
.

So I guess my pam is the one not allowing here. I want to delete the new user is this sufficient userdel -r mytest?

Also I did some googling and some suggest this to comment #account required pam_access.so in the /etc/pam.d/crond but this will off the pam right?

Last edited by newbie14; 01-28-2014 at 04:07 AM.
 
Old 01-28-2014, 12:27 PM   #14
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,406
Blog Entries: 55

Rep: Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578
Quote:
Originally Posted by newbie14 View Post
How to run the diff between 2 servers its a lot of servers settings right and I guess only manually can this be done?
Make a tar ball of /etc, scp it over to the other machine, decompress into some temporary directory, then run 'diff -rq' on the etc/ in the temporary directory and /etc?


Quote:
Originally Posted by newbie14 View Post
[root@pro1 ~]# crontab -e

Permission denied
You (root) are not allowed to access to (crontab) because of pam configuration.
Now that is an odd error.


Quote:
Originally Posted by newbie14 View Post
So I guess my pam is the one not allowing here. I want to delete the new user is this sufficient userdel -r mytest?
Seems like it, we'll have to find out why. If you 'userdel' also don't forget to 'groupdel' if the user has its own group.


Quote:
Originally Posted by newbie14 View Post
Also I did some googling and some suggest this to comment #account required pam_access.so in the /etc/pam.d/crond but this will off the pam right?
It will enable any user to use cron jobs: see 'man pam_access'. I'd rather first try adding "debug" to the line:
Code:
account    required   pam_access.so debug
and see if that shows clues. Else we'll have to start from scratch checking all permissions, SELinux contexts and such...
 
Old 01-28-2014, 12:35 PM   #15
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
Quote:
Originally Posted by newbie14
Also I did some googling and some suggest this to comment #account required pam_access.so in the /etc/pam.d/crond but this will off the pam right?
You can try commenting it out temporarily to see if the problem resolves, but remove the comment after you're done testing.

I would expect commenting that line out to work, but it's definitely not a "fix". We should get to the root cause of the problem here (which I am beginning to suspect if a malformed / bad character /etc/security/access.conf).

When you're ready, modify your /etc/pam.d/crond to include the line:
Code:
account    required   pam_access.so debug
This should provide verbose logging, and better insight into what is really happening. After adding that line, let the cron daemon run for awhile, and check /var/log/secure and /var/log/messages.

-------

I was eight minutes too slow. But I agree with the debugging approach.

Last edited by anomie; 01-28-2014 at 12:37 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
move_uploaded_file failed to open stream: Permission denied zawmn83 Linux - Server 3 05-04-2009 03:36 AM
udevd - rmdir(/dev/.udev/failed) failed: Permission denied pbhj Slackware 20 03-21-2008 10:46 AM
Failed to send mail : Write failed : Permission denied shawnbishop Linux - Software 1 03-27-2006 01:50 PM
php failed: Permission denied (13) in rino.caldelli Linux - Software 2 03-18-2006 11:25 AM
Wine Installation failed, permission denied enegron Linux - Newbie 4 10-15-2003 03:08 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:18 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration