[opensuse] PAM prevents root access to crontab ?
Hi, I'm running 11.2. I just noticed on every box I have, root /root > crontab Permission denied You (root) are not allowed to access to (crontab) because of pam configuration. And in syslog, Dec 16 13:03:40 desk2 crontab: PAM _pam_load_conf_file: unable to open /etc/pam.d/password-auth Dec 16 13:03:40 desk2 crontab: PAM _pam_load_conf_file: unable to open /etc/pam.d/password-auth I've certainly never set any PAM config, or anything. On 11.1 I had no such problems. checking cron's man page, it references the pam man page. Checking the pam & PAM man pages, there's no mention of cron :-/ What's PAM got to do with cron, and how do I get permission to access it? Thanks, BenDJ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 12/16/2009 1:09 PM, Ben DJ wrote:
Hi,
I'm running 11.2. I just noticed on every box I have,
root /root > crontab Permission denied You (root) are not allowed to access to (crontab) because of pam configuration.
And in syslog,
Dec 16 13:03:40 desk2 crontab: PAM _pam_load_conf_file: unable to open /etc/pam.d/password-auth Dec 16 13:03:40 desk2 crontab: PAM _pam_load_conf_file: unable to open /etc/pam.d/password-auth
I've certainly never set any PAM config, or anything. On 11.1 I had no such problems.
checking cron's man page, it references the pam man page. Checking the pam & PAM man pages, there's no mention of cron :-/
What's PAM got to do with cron, and how do I get permission to access it?
Pam has to do with who can long on and what services they can run. Do you have root login blocked in Yast? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Hi, On Wed, Dec 16, 2009 at 4:38 PM, John Andersen <jsamyth@gmail.com> wrote:
What's PAM got to do with cron, and how do I get permission to access it?
Pam has to do with who can long on and what services they can run.
Do you have root login blocked in Yast?
No, I can certainly log in as root ... @ boot, @ any shell, via ssh, etc. Sudo works as well for my 'normal' user. BenDJ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Am Mittwoch, 16. Dezember 2009 schrieb Ben DJ:
I'm running 11.2. I just noticed on every box I have,
Did you do a fresh install on these boxes or an upgrade?
root /root > crontab Permission denied You (root) are not allowed to access to (crontab) because of pam configuration.
And in syslog,
Dec 16 13:03:40 desk2 crontab: PAM _pam_load_conf_file: unable to open /etc/pam.d/password-auth Dec 16 13:03:40 desk2 crontab: PAM _pam_load_conf_file: unable to open /etc/pam.d/password-auth
I've certainly never set any PAM config, or anything.
The file /etc/pam.d/password-auth does not exist on both 11.1 and 11.2. Furthermore, "grep -r password-auth /etc/pam.d/" does not give any hit for me. Do you have any line like "...include...password-auth" in your /etc/pam.d/crond?
On 11.1 I had no such problems.
Using a fresh 11.2 installation, crontab works. Besides "crontab" alone is not a valid command, there must be some option.
checking cron's man page, it references the pam man page. Checking the pam & PAM man pages, there's no mention of cron :-/
Well, I do not think that it would be that practical to mention every application that uses pam in the pam man page.
What's PAM got to do with cron, and how do I get permission to access it?
It is used for access control. Gruß Jan -- It's easier said than done. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Hi, On Thu, Dec 17, 2009 at 8:28 AM, Jan Ritzerfeld <suse@mailinglists.jan.ritzerfeld.net> wrote:
The file /etc/pam.d/password-auth does not exist on both 11.1 and 11.2. Furthermore, "grep -r password-auth /etc/pam.d/" does not give any hit for me. Do you have any line like "...include...password-auth" in your /etc/pam.d/crond?
as installed -- i.e., I've never touched it, cat /etc/pam.d/crond # # The PAM configuration file for the cron daemon # # # No PAM authentication called, auth modules not needed account required pam_access.so account include password-auth session required pam_loginuid.so session include password-auth
Using a fresh 11.2 installation, crontab works. Besides "crontab" alone is not a valid command, there must be some option.
SYNOPSIS crontab [-u user] file crontab [-u user] [-l | -r | -e] [-i] [-s] the 2nd line looks like all options are optional -- i.e., 'crontab' alone is fine. but, in any case, 'crontab -e' returns exactly the same result as above ... Permission denied You (root) are not allowed to access to (crontab) because of pam configuration.
Well, I do not think that it would be that practical to mention every application that uses pam in the pam man page.
I didn't suggest that.
What's PAM got to do with cron, and how do I get permission to access it?
It is used for access control.
BenDJ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday, 2009-12-17 at 08:46 -0800, Ben DJ wrote:
On Thu, Dec 17, 2009 at 8:28 AM, Jan Ritzerfeld <> wrote:
The file /etc/pam.d/password-auth does not exist on both 11.1 and 11.2. Furthermore, "grep -r password-auth /etc/pam.d/" does not give any hit for me. Do you have any line like "...include...password-auth" in your /etc/pam.d/crond?
as installed -- i.e., I've never touched it,
cat /etc/pam.d/crond # # The PAM configuration file for the cron daemon # # # No PAM authentication called, auth modules not needed account required pam_access.so account include password-auth session required pam_loginuid.so session include password-auth
It is quite different from mine: bombadillo:~ # cat /etc/pam.d/crond # # The PAM configuration file for the cron daemon # # auth sufficient pam_rootok.so auth include common-auth account include common-account password include common-password session required pam_loginuid.so session include common-session And that is the default configuration: bombadillo:~ # l /etc/pam.d/crond - -rw-r--r-- 1 root root 287 2009-10-24 06:14 /etc/pam.d/crond Please give the output of this command: grep PERMISSION_SECURITY /etc/sysconfig/security You might have "secure" or "paranoid" in there. Default is "easy local".
Using a fresh 11.2 installation, crontab works. Besides "crontab" alone is not a valid command, there must be some option.
SYNOPSIS crontab [-u user] file crontab [-u user] [-l | -r | -e] [-i] [-s]
the 2nd line looks like all options are optional -- i.e., 'crontab' alone is fine.
No, it is not. This is the output on my system: bombadillo:~ # crontab crontab: usage error: file name must be specified for replace usage: crontab [-u user] file crontab [-u user] [ -e | -l | -r ] (default operation is replace, per 1003.2) -e (edit user's crontab) -l (list user's crontab) -r (delete user's crontab) - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAksqZJcACgkQtTMYHG2NR9W9rgCdEp4pz4aVOwGy4TJHOGLdZL+Z /LoAn1P+i2RnmgSVxx2kycbJHPBF+JBM =B/BA -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Hi, Finally stumbled across this: http://en.opensuse.org/Cron_replace Replaced 11.2's cron with: zypper in cronie so now, rpm -qa | grep -i cronie cronie-1.4.3-213.1.x86_64 Now, 'crontab -e' works as expected. As a test, switch back to 'cron' reproduces the problem as in my OP. Afaict, the switch to cronie has not yet been mandated, but I'm guessing 'something' on my systems already has a requirement for it. BenDJ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Am Donnerstag, 17. Dezember 2009 schrieb Ben DJ:
On Thu, Dec 17, 2009 at 8:28 AM, Jan Ritzerfeld
<suse@mailinglists.jan.ritzerfeld.net> wrote:
The file /etc/pam.d/password-auth does not exist on both 11.1 and 11.2. Furthermore, "grep -r password-auth /etc/pam.d/" does not give any hit for me. Do you have any line like "...include...password-auth" in your /etc/pam.d/crond?
as installed -- i.e., I've never touched it, [...]
However, it looks *very* different from mine, see Carlos' reply. "rpm -qV cron" tells you what?
Using a fresh 11.2 installation, crontab works. Besides "crontab" alone is not a valid command, there must be some option.
SYNOPSIS crontab [-u user] file crontab [-u user] [-l | -r | -e] [-i] [-s]
the 2nd line looks like all options are optional -- i.e., 'crontab' alone is fine.
Well, these options are optional, but "-r" is the default option and indeed needs a file name. Nonetheless, you do not even get there, it was just a hint.
[...]
Well, I do not think that it would be that practical to mention every application that uses pam in the pam man page.
I didn't suggest that. [...]
Imagine that there was a smiley at the end of the line. :) Gruß Jan -- Ninety percent of everything is bullshit. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (4)
-
Ben DJ -
Carlos E. R. -
Jan Ritzerfeld -
John Andersen