[OpenAFS] Cron jobs without service keytab
Matthew Andrews
matt@slackers.net
Sat, 10 Apr 2004 16:35:58 -0700
Hmmm, what system type is this on?
crond on my system(fedora) doesn't seem to be linked against any pam libs:
[matt@arthur]~% ldd /usr/sbin/crond
libc.so.6 => /lib/tls/libc.so.6 (0x007f1000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x007d9000)
[matt@arthur]~% ldd /bin/login
libcrypt.so.1 => /lib/libcrypt.so.1 (0x00757000)
libpam.so.0 => /lib/libpam.so.0 (0x00cb4000)
libdl.so.2 => /lib/libdl.so.2 (0x00950000)
libpam_misc.so.0 => /lib/libpam_misc.so.0 (0x00955000)
libc.so.6 => /lib/tls/libc.so.6 (0x007f1000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x007d9000)
I suppose it could be a static linkage, but that would seem silly.
If the pag is really being lost likely either cron does a setgroups
somewhere, and explicitly obliterates the pag group memberships(I've
seen this before, but I can't remember what program did it) or if your
cron does use pam for something, then likely one of your pam
modules(pam_afs or some such) is requesting a new pag, and you could
likely just change the pam config used by pam to not call that module.
-Matt
Derek Atkins wrote:
>Russ Allbery <rra@stanford.edu> writes:
>
>
>
>>Lukas Kubin <kubin@opf.slu.cz> writes:
>>
>>
>>
>>>The problem is the standard cron doesn't keep users' jobs inside that
>>>PAG. It uses some PAM methods instead and runs the users' processes so
>>>thay don't receive the servers' privileges.
>>>
>>>
>>So what you're saying is that crond destroys the PAG that you're running
>>it in when it switches users to run an individual user's job? Hm. I
>>thought that PAGs survived across setuid(), but maybe I'm wrong.
>>
>>
>
>No, pag's definitely survive a setuid(). I can run su(1) and the
>root shell will have my PAG and my tokens.
>
>-derek
>
>
>