LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 05-14-2012, 12:27 PM   #1
casperpache
LQ Newbie
 
Registered: Oct 2009
Location: Aberystwyth
Distribution: Redhat 5
Posts: 23

Rep: Reputation: 0
User cron not running.


Hi peeps,
I have a user (applmgr) created on the system and have attempted to create a crontab.
Ive currently got it setup to run a simple script (Output a ls command to a file) to test that its working but im getting errors that i cant resolve.

Im running:
Red Hat Enterprise Linux Server release 5.5 (Tikanga)
2.6.18-164.6.1.el5PAE


The /var/log/cron is giving me the below error:
May 14 12:59:06 gaalpltvmw010e crond[3402]: Permission denied
May 14 12:59:06 gaalpltvmw010e crond[3402]: CRON (applmgr) ERROR: failed to open PAM security session: Bad file descriptor
May 14 12:59:06 gaalpltvmw010e crond[3402]: CRON (applmgr) ERROR: cannot set security context


My /var/log/messages is giving me the below:
May 14 13:08:15 gaalpltvmw010e crond[4110]: pam_access(crond:account): access denied for user `applmgr' from `cron'
May 14 13:08:15 gaalpltvmw010e crond[4110]: pam_access(crond:account): access denied for user `applmgr' from `cron'
May 14 13:08:15 gaalpltvmw010e crond[4110]: pam_access(crond:account): access denied for user `applmgr' from `cron'
May 14 13:08:17 gaalpltvmw010e crond[4110]: Permission denied
May 14 13:08:17 gaalpltvmw010e crond[4110]: Permission denied
May 14 13:08:17 gaalpltvmw010e crond[4110]: Permission denied
May 14 13:08:17 gaalpltvmw010e crond[4110]: CRON (applmgr) ERROR: failed to open PAM security session: Bad file descriptor
May 14 13:08:17 gaalpltvmw010e crond[4110]: CRON (applmgr) ERROR: cannot set security context


the /var/log/secure:-
May 14 13:09:09 gaalpltvmw010e crond[4175]: pam_access(crond:account): access denied for user `applmgr' from `cron'

Ive googled this and tried various solutions but nothing is working.

Ive tried restarting the crond (service restart crond) and confirmed that its running (pgrep cron).

The user is in the cron.allow and the cron.deny is empty.

My /etc/pam.d/crond shows:

auth sufficient pam_env.so
auth required pam_rootok.so
auth include system-auth
account required pam_access.so
account include system-auth
session required pam_loginuid.so
session include system-auth


and all of my /etc/security/access.conf is commented out.

when i check SELinux it says its DISABLED
getenforce

My /etc/selinux/config looks like the below:-
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - SELinux is fully disabled.
SELINUX=disabled
# SELINUXTYPE= type of policy in use. Possible values are:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted

# SETLOCALDEFS= Check local definition changes
SETLOCALDEFS=0



Im all out of ideas now on what to try.... does anyone have any suggestions please?
 
Old 05-14-2012, 01:10 PM   #2
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125

Rep: Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780
Is your applmgr user part of the cron group? These errors sound like permissions problems.
 
Old 05-14-2012, 03:17 PM   #3
Droa
Member
 
Registered: Oct 2011
Location: ~
Distribution: Debian 7
Posts: 60

Rep: Reputation: Disabled
seems your trying to do things your now allowed to, on that system, try adding a group that have access to the files, on your user
 
Old 05-15-2012, 01:06 AM   #4
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.10, Centos 7.5
Posts: 17,606

Rep: Reputation: 2445Reputation: 2445Reputation: 2445Reputation: 2445Reputation: 2445Reputation: 2445Reputation: 2445Reputation: 2445Reputation: 2445Reputation: 2445Reputation: 2445
1. can you show us the cron entry
2. have you checked /etc/cron.deny, cron.allow?
3. show user's entry in /etc/passwd

Last edited by chrism01; 05-16-2012 at 08:54 PM. Reason: typo ...
 
Old 05-15-2012, 03:45 AM   #5
casperpache
LQ Newbie
 
Registered: Oct 2009
Location: Aberystwyth
Distribution: Redhat 5
Posts: 23

Original Poster
Rep: Reputation: 0
Hi,

Noway2.... I dont have a cron group in /etc/group.
I use:- vixie-cron-4.1-77.el5_4.1

Droa..... yeah thats what i thought but i just cant see whats stopping it.


Chrism1.... My crontab file is as simple as the below:- (And has a blank line at the end.)

SHELL=/bin/bash

# Simple command to run a ls and output to log file.

* * * * * /home/applmgr/test1.sh > /home/applmgr/test1.log 2>&1



Passwd entry is:
applmgr:x:12182:2120:Application ID, Distributed Fulfillment:/home/applmgr:/bin/bash
User looks fine in the shadow file too.

User is in cron.allow
cron.deny file is empty.

-------------

Thanks for the comments so far......
 
Old 05-15-2012, 03:58 AM   #6
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125

Rep: Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780
How about the following: http://mochabomb.com/blog/cron-error...etc-centos-52/

Do you have an /etc/security/access.conf? According to that link, the need to comment out, or adjust in some fashion, ALL, ALL except root, will cause PAM to issue the access denied messages you are seeing. To me, it looks like you should try adding your user account to the list before commenting it out.

Additionally, according to this link: http://www.flagword.net/2009/09/fail...urity-session/ you may want to double check the /etc/pam.d/system-auth configuration very carefully (as well as doublecheck your /etc/shadow user, because you are getting a session error with bad file descriptor.
 
Old 05-15-2012, 11:20 AM   #7
casperpache
LQ Newbie
 
Registered: Oct 2009
Location: Aberystwyth
Distribution: Redhat 5
Posts: 23

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by Noway2 View Post
How about the following: http://mochabomb.com/blog/cron-error...etc-centos-52/

Do you have an /etc/security/access.conf? According to that link, the need to comment out, or adjust in some fashion, ALL, ALL except root, will cause PAM to issue the access denied messages you are seeing. To me, it looks like you should try adding your user account to the list before commenting it out.

Additionally, according to this link: http://www.flagword.net/2009/09/fail...urity-session/ you may want to double check the /etc/pam.d/system-auth configuration very carefully (as well as doublecheck your /etc/shadow user, because you are getting a session error with bad file descriptor.

Thanks for this, i appreciate your help.

Yes i have the access.conf file but its all commented out for some reason.
Im going to have to read up on the PAM Security because i dont really know anything about it.
Maybe adding my user would be a good idea, but i just need to go through it and learn what to add.

The only thing ive noticed from the links you have given is a slight difference in the /etc/pam.d/crond:-
Mine shows the below difference.
auth sufficient pam_env.so
auth required pam_rootok.so


the link sows it as:
auth sufficient pam_rootok.so
auth required pam_env.so


Whether that makes a difference i dont know.



The same goes for the system-auth config... i dont understand this yet so im hesitant to just go ahead changing this without knowing what im doing and creating security holes.

I believe the user in my shadow file is fine as this is quite a newly added user.
applmgr:$1$h.RTD.$wq3Zz8x1:15056:0:99999:7:::

If you know what i can put then im willing to give anything a try whilst i read up on it.
 
Old 05-16-2012, 04:19 AM   #8
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125

Rep: Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780
Here is a link that I think does a pretty good job of explaining the syntax of PAM: http://archive09.linux.com/feature/113567.html

According to that page, the order may actually have an impact. It falls to the difference between "sufficient" and "required". When called upon to perform an authentication (typically verify a user, password) the modules in PAM auth section are called. If a module that is "required" returns a failure, the authentication will fail. The subsequent modules will still be called (to avoid providing indication of which of them failed) and it doesn't matter if they succeed or fail - the authorization will fail. Alternatively, if a "sufficient" module succeeds, this is enough to satisfy the "sufficient" modules listed below and they are not called.

In your particular case, if pam_rootok.so returns a failure, your authorization will fail - period, yet if pam_env.so is successful, the operation may succeed depending on what follows. The link is the opposite: it requires pam_env to pass, but allows pam_rootok to conditionally fail. In other words, it depends upon which module is causing your issues.

However, in your particular case, it looks like it is the module "account required pam_access.so" that is causing you trouble. Again from the link provided:
Quote:
account
This area is responsible for a wide array of possible account verification functionality. There are many modules available for this facility. Constraints to the use of a service based on checking group membership, time of day, whether a user account is local or remote, etc., are generally enforced by modules which support this facility.
If we continue to dig into this: http://linux.die.net/man/8/pam_access, we see "By default rules for access management are taken from config file /etc/security/access.conf if you don't specify another file." This leads us to this link: http://linux.die.net/man/5/access.conf, which has the rules for access.conf.

Quote:
1)Each line of the login access control table has three fields separated by a ":" character (colon) : permission : users/groups : origins
2)The first field, the permission field, can be either a "+" character (plus) for access granted or a "-" character (minus) for access denied.
3)The second field, the users/group field, should be a list of one or more login names, group names, or ALL (which always matches).
A little bit of a care is required while writing these rules. They will be scanned in order. The first on that matches the condition will be executed and the determination made upon that check. This means it is possible to do things such as allow a user access from a particular remote host, or a terminal, but deny from everywhere else.
For example:
Code:
+ : root : 0 tty1  #allow from these terminals
+ : root : 192.168.0.2  #allow from this host
- : root : ALL #deny from everywhere else
Consequently, it would appear that your 'blank' rule set is returning a failure by default for this user. Something along the lines of:
Code:
+ : applmgr : crond
 
1 members found this post helpful.
Old 05-16-2012, 05:14 AM   #9
casperpache
LQ Newbie
 
Registered: Oct 2009
Location: Aberystwyth
Distribution: Redhat 5
Posts: 23

Original Poster
Rep: Reputation: 0
Thanks again for you help and support, you express a good knowledge of this, i just hope i understand it as much as you after reading through it.

I will have a read through this information and see where i get by the end of the day.

Ill report back on my results.
 
Old 05-17-2012, 11:36 AM   #10
casperpache
LQ Newbie
 
Registered: Oct 2009
Location: Aberystwyth
Distribution: Redhat 5
Posts: 23

Original Poster
Rep: Reputation: 0
Those articles are very helpful to understand how it works but its still a little over my head so i need more learning.

It does however help to explain the error below a bit better, i just need to figure out what bit is causing it because it seems to go deeper than the few config files that ive looked at.

/var/log/secure:-
May 14 13:09:09 gaalpltvmw010e crond[4175]: pam_access(crond:account): access denied for user `applmgr' from `cron'

I have tried a few things and added the user to the acess.conf but i still get the error.

Thanks again for the time you have put in to help me, i will report back when im a fully qualified PAM Security expert.
 
Old 05-25-2012, 05:08 AM   #11
casperpache
LQ Newbie
 
Registered: Oct 2009
Location: Aberystwyth
Distribution: Redhat 5
Posts: 23

Original Poster
Rep: Reputation: 0
Im back....
I couldnt figure out what was going wrong and assumed there was some kind of setup issue so i passed this on.

I received a response to say that the /etc/pam.d/crond was amended and this resolved the problem...

Original crond:

auth sufficient pam_env.so
auth required pam_rootok.so
auth include system-auth
account required pam_access.so
account include system-auth
session required pam_loginuid.so
session include system-auth



New crond:
auth sufficient pam_rootok.so
auth required pam_env.so
auth include system-auth
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account sufficient pam_listfile.so onerr=succeed item=user sense=allow file=/etc/security/access-cron.conf
account include system-auth
session required pam_loginuid.so
session include system-auth


Thanks for your help, this is now all resolved.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Running a cron job as a user laredotornado Linux - Newbie 7 05-05-2011 11:43 AM
cron - how to give priority to a task running in cron.daily? MeeLee Linux - Newbie 3 11-09-2010 08:41 AM
Fedora 8 selinux blocks root cron but not user cron Infinity Fedora 7 11-29-2007 08:21 AM
One user's cron jobs not running dcroxton Linux - Software 5 03-06-2006 03:33 PM
running cron job as an ordinary user fahad26 Linux - General 1 06-30-2005 03:46 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:27 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration