User cron not running.
 

Hi peeps,
I have a user (applmgr) created on the system and have attempted to create a crontab.
Ive currently got it setup to run a simple script (Output a ls command to a file) to test that its working but im getting errors that i cant resolve.

Im running:
Red Hat Enterprise Linux Server release 5.5 (Tikanga)
2.6.18-164.6.1.el5PAE

The /var/log/cron is giving me the below error:
May 14 12:59:06 gaalpltvmw010e crond[3402]: Permission denied
May 14 12:59:06 gaalpltvmw010e crond[3402]: CRON (applmgr) ERROR: failed to open PAM security session: Bad file descriptor
May 14 12:59:06 gaalpltvmw010e crond[3402]: CRON (applmgr) ERROR: cannot set security context

My /var/log/messages is giving me the below:
May 14 13:08:15 gaalpltvmw010e crond[4110]: pam_access(crond:account): access denied for user `applmgr' from `cron'
May 14 13:08:15 gaalpltvmw010e crond[4110]: pam_access(crond:account): access denied for user `applmgr' from `cron'
May 14 13:08:15 gaalpltvmw010e crond[4110]: pam_access(crond:account): access denied for user `applmgr' from `cron'
May 14 13:08:17 gaalpltvmw010e crond[4110]: Permission denied
May 14 13:08:17 gaalpltvmw010e crond[4110]: Permission denied
May 14 13:08:17 gaalpltvmw010e crond[4110]: Permission denied
May 14 13:08:17 gaalpltvmw010e crond[4110]: CRON (applmgr) ERROR: failed to open PAM security session: Bad file descriptor
May 14 13:08:17 gaalpltvmw010e crond[4110]: CRON (applmgr) ERROR: cannot set security context

the /var/log/secure:-
May 14 13:09:09 gaalpltvmw010e crond[4175]: pam_access(crond:account): access denied for user `applmgr' from `cron'

Ive googled this and tried various solutions but nothing is working.

Ive tried restarting the crond (service restart crond) and confirmed that its running (pgrep cron).

The user is in the cron.allow and the cron.deny is empty.

My /etc/pam.d/crond shows:

auth sufficient pam_env.so
auth required pam_rootok.so
auth include system-auth
account required pam_access.so
account include system-auth
session required pam_loginuid.so
session include system-auth

and all of my /etc/security/access.conf is commented out.

when i check SELinux it says its DISABLED
getenforce

My /etc/selinux/config looks like the below:-
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - SELinux is fully disabled.
SELINUX=disabled
# SELINUXTYPE= type of policy in use. Possible values are:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted

# SETLOCALDEFS= Check local definition changes
SETLOCALDEFS=0


Im all out of ideas now on what to try.... does anyone have any suggestions please?

Is your applmgr user part of the cron group? These errors sound like permissions problems.

seems your trying to do things your now allowed to, on that system, try adding a group that have access to the files, on your user

1. can you show us the cron entry
2. have you checked /etc/cron.deny, cron.allow?
3. show user's entry in /etc/passwd

Hi,

Noway2.... I dont have a cron group in /etc/group.
I use:- vixie-cron-4.1-77.el5_4.1

Droa..... yeah thats what i thought but i just cant see whats stopping it.


Chrism1.... My crontab file is as simple as the below:- (And has a blank line at the end.)

SHELL=/bin/bash

# Simple command to run a ls and output to log file.

* * * * * /home/applmgr/test1.sh > /home/applmgr/test1.log 2>&1



Passwd entry is:
applmgr:x:12182:2120:Application ID, Distributed Fulfillment:/home/applmgr:/bin/bash
User looks fine in the shadow file too.

User is in cron.allow
cron.deny file is empty.

-------------

Thanks for the comments so far......

How about the following: http://mochabomb.com/blog/cron-error...etc-centos-52/

Do you have an /etc/security/access.conf? According to that link, the need to comment out, or adjust in some fashion, ALL, ALL except root, will cause PAM to issue the access denied messages you are seeing. To me, it looks like you should try adding your user account to the list before commenting it out.

Additionally, according to this link: http://www.flagword.net/2009/09/fail...urity-session/ you may want to double check the /etc/pam.d/system-auth configuration very carefully (as well as doublecheck your /etc/shadow user, because you are getting a session error with bad file descriptor.

Thanks for this, i appreciate your help.

Yes i have the access.conf file but its all commented out for some reason.
Im going to have to read up on the PAM Security because i dont really know anything about it.
Maybe adding my user would be a good idea, but i just need to go through it and learn what to add.

The only thing ive noticed from the links you have given is a slight difference in the /etc/pam.d/crond:-
Mine shows the below difference.
auth sufficient pam_env.so
auth required pam_rootok.so

the link sows it as:
auth sufficient pam_rootok.so
auth required pam_env.so


Whether that makes a difference i dont know.



The same goes for the system-auth config... i dont understand this yet so im hesitant to just go ahead changing this without knowing what im doing and creating security holes.

I believe the user in my shadow file is fine as this is quite a newly added user.
applmgr:$1$h.RTD.$wq3Zz8x1:15056:0:99999:7:::

If you know what i can put then im willing to give anything a try whilst i read up on it. ;)

Here is a link that I think does a pretty good job of explaining the syntax of PAM: http://archive09.linux.com/feature/113567.html

According to that page, the order may actually have an impact. It falls to the difference between "sufficient" and "required". When called upon to perform an authentication (typically verify a user, password) the modules in PAM auth section are called. If a module that is "required" returns a failure, the authentication will fail. The subsequent modules will still be called (to avoid providing indication of which of them failed) and it doesn't matter if they succeed or fail - the authorization will fail. Alternatively, if a "sufficient" module succeeds, this is enough to satisfy the "sufficient" modules listed below and they are not called.

In your particular case, if pam_rootok.so returns a failure, your authorization will fail - period, yet if pam_env.so is successful, the operation may succeed depending on what follows. The link is the opposite: it requires pam_env to pass, but allows pam_rootok to conditionally fail. In other words, it depends upon which module is causing your issues.

However, in your particular case, it looks like it is the module "account required pam_access.so" that is causing you trouble. Again from the link provided: If we continue to dig into this: http://linux.die.net/man/8/pam_access, we see "By default rules for access management are taken from config file /etc/security/access.conf if you don't specify another file." This leads us to this link: http://linux.die.net/man/5/access.conf, which has the rules for access.conf.

A little bit of a care is required while writing these rules. They will be scanned in order. The first on that matches the condition will be executed and the determination made upon that check. This means it is possible to do things such as allow a user access from a particular remote host, or a terminal, but deny from everywhere else.
For example:
Consequently, it would appear that your 'blank' rule set is returning a failure by default for this user. Something along the lines of:

Thanks again for you help and support, you express a good knowledge of this, i just hope i understand it as much as you after reading through it. :)

I will have a read through this information and see where i get by the end of the day.

Ill report back on my results.

Those articles are very helpful to understand how it works but its still a little over my head so i need more learning.

It does however help to explain the error below a bit better, i just need to figure out what bit is causing it because it seems to go deeper than the few config files that ive looked at.

/var/log/secure:-
May 14 13:09:09 gaalpltvmw010e crond[4175]: pam_access(crond:account): access denied for user `applmgr' from `cron'

I have tried a few things and added the user to the acess.conf but i still get the error.

Thanks again for the time you have put in to help me, i will report back when im a fully qualified PAM Security expert. :)

Im back....
I couldnt figure out what was going wrong and assumed there was some kind of setup issue so i passed this on.

I received a response to say that the /etc/pam.d/crond was amended and this resolved the problem...

Original crond:

auth sufficient pam_env.so
auth required pam_rootok.so
auth include system-auth
account required pam_access.so
account include system-auth
session required pam_loginuid.so
session include system-auth


New crond:
auth sufficient pam_rootok.so
auth required pam_env.so
auth include system-auth
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account sufficient pam_listfile.so onerr=succeed item=user sense=allow file=/etc/security/access-cron.conf
account include system-auth
session required pam_loginuid.so
session include system-auth

Thanks for your help, this is now all resolved.