[OpenAFS] Cron jobs without service keytab

Sat, 10 Apr 2004 16:35:58 -0700

Hmmm, what system type is this on?

crond on my system(fedora) doesn't seem to be linked against any pam libs:
[matt@arthur]~% ldd /usr/sbin/crond
        libc.so.6 => /lib/tls/libc.so.6 (0x007f1000)
        /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x007d9000)
[matt@arthur]~% ldd /bin/login   
        libcrypt.so.1 => /lib/libcrypt.so.1 (0x00757000)
        libpam.so.0 => /lib/libpam.so.0 (0x00cb4000)
        libdl.so.2 => /lib/libdl.so.2 (0x00950000)
        libpam_misc.so.0 => /lib/libpam_misc.so.0 (0x00955000)
        libc.so.6 => /lib/tls/libc.so.6 (0x007f1000)
        /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x007d9000)

I suppose it could be a static linkage, but that would seem silly.

If the pag is really being lost likely either cron does a setgroups 
somewhere, and explicitly obliterates the pag group memberships(I've 
seen this before, but I can't remember what program did it) or if your 
cron does use pam for something, then likely one of your pam 
modules(pam_afs or some such) is requesting a new pag, and you could 
likely just change the pam config used by pam to not call that module.

-Matt

Derek Atkins wrote:

>Russ Allbery <rra@stanford.edu> writes:
>
>  
>
>>Lukas Kubin <kubin@opf.slu.cz> writes:
>>
>>    
>>
>>>The problem is the standard cron doesn't keep users' jobs inside that
>>>PAG. It uses some PAM methods instead and runs the users' processes so
>>>thay don't receive the servers' privileges.
>>>      
>>>
>>So what you're saying is that crond destroys the PAG that you're running
>>it in when it switches users to run an individual user's job?  Hm.  I
>>thought that PAGs survived across setuid(), but maybe I'm wrong.
>>    
>>
>
>No, pag's definitely survive a setuid().  I can run su(1) and the
>root shell will have my PAG and my tokens.
>
>-derek
>
>  
>