[OpenAFS] cron and AFS on RHEL6/7

Stephen Quinney stephen@jadevine.org.uk
Fri, 12 Dec 2014 17:06:14 +0000


--001a113477860c27b8050a07e981
Content-Type: text/plain; charset=UTF-8

We have recently spotted that the behaviour of the cronie daemon has
changed and it breaks cron for our users with AFS home directories. The
change in question is:

https://bugzilla.redhat.com/show_bug.cgi?id=697485

In EL6 the code change is in patch cronie-1.4.4-popen697485.patch which was
applied in 1.4.4-9.el6 to add a call to the cron_change_user_permanently
function which does a setreuid call to drop privileges. This is clearly
necessary but there is a (probably unintended) side-effect which is that
access is denied whenever the home directory in the passwd file is
inaccessible (in our case due to a lack of Kerberos ticket and AFS tokens).
We have always worked around this inaccessible home directory problem for
AFS users by setting the HOME environment variable in the crontab to a
directory in the local filesystem (e.g. /tmp), that strategy works fine
with version 1.4.4-7.el6 which does not contain the patch.

This is really just a note that it might affect other sites in the same
way, if anyone knows people at Redhat to poke to get an improved version of
the patch, that would be great.

Regards,

Stephen Quinney

--001a113477860c27b8050a07e981
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div><div>We have recently spotted that the behaviour of t=
he cronie daemon has changed and it breaks cron for our users with AFS home=
 directories. The change in question is:<br><br><a href=3D"https://bugzilla=
.redhat.com/show_bug.cgi?id=3D697485">https://bugzilla.redhat.com/show_bug.=
cgi?id=3D697485</a><br><br>In EL6 the code change is in patch cronie-1.4.4-=
popen697485.patch which was applied in 1.4.4-9.el6 to add a call to the cro=
n_change_user_permanently function which does a setreuid call to drop privi=
leges. This is clearly necessary but there is a (probably unintended) side-=
effect which is that access is denied whenever the home directory in the pa=
sswd file is inaccessible (in our case due to a lack of Kerberos ticket and=
 AFS tokens). We have always worked around this inaccessible home directory=
 problem for AFS users by setting the HOME environment variable in the cron=
tab to a directory in the local filesystem (e.g. /tmp), that strategy works=
 fine with version 1.4.4-7.el6 which does not contain the patch.<br><br></d=
iv>This is really just a note that it might affect other sites in the same =
way, if anyone knows people at Redhat to poke to get an improved version of=
 the patch, that would be great.<br><br></div><div>Regards,<br><br></div>St=
ephen Quinney<br><br></div>

--001a113477860c27b8050a07e981--