|
Bugzilla – Full Text Bug Listing |
| Summary: | root cronjob switching user with "su - someone -c " results in "killed." | ||
|---|---|---|---|
| Product: | [openSUSE] openSUSE 12.2 | Reporter: | Christian Boltz <suse-beta> |
| Component: | Basesystem | Assignee: | Frederic Crozat <fcrozat> |
| Status: | RESOLVED FIXED | QA Contact: | E-mail List <qa-bugs> |
| Severity: | Normal | ||
| Priority: | P5 - None | CC: | meissner |
| Version: | Final | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | openSUSE 12.2 | ||
| Whiteboard: | |||
| Found By: | Beta-Customer | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
|
Description
Christian Boltz
2013-01-31 20:45:31 UTC
does it work if you use "su someone" instead of "su -" ? Same result - "...killed." I can't reproduce. Please give more informations on your exact crontab file (how is it installed) and what kind of program you are starting in your cronjob. A script reproducing the issue would be welcome. Please also make sure you have audit enabled in your kernel. Last item first -auditd is happily logging so that I can update the apparmor profiles if needed - so I'd assume audit is enabled in the kernel ;-) Now to the reproducer: As root, run "crontab -e" and make sure the crontab contains the following ---------- MAILTO=root PATH=/bin:/usr/local/bin:/usr/bin:/sbin:/usr/sbin 8 12 * * * /tmp/crontest ---------- MAILTO is important to actually receive the mail (without it, the mail will be /dev/null'ed) - change the mail address if needed. /tmp/crontest is a small test script: ---------- #!/bin/bash echo one su cb -c 'echo two-as-cb' echo three ---------- chmod +x it, replace "cb" with your username and wait for the cronjob to run. The result is this mail (hostname replaced with ***) ---------- Subject: Cron <root@***> /tmp/crontest From: Cron Daemon <root@***> To. root@*** one two-as-cb ...killed. three ---------- ok, confirmed, it works the first time and then, I get the "killed" for following calls. adding "session optional pam_loginuid.so" in su workarounds the issue, but it is not recommended by pam_loginuid.so manpage: "You should not use it for applications like sudo or su as that defeats the purpose by changing the loginuid to the account they just switched to." ok, it looks like /etc/pam.d/cron is missing a "session include common-session" or at least "-session optional pam_systemd.so" after the "session required pam_loginuid.so" line after digging a little more, patch cronie-pam_config.diff had incorrect "remove/added lines" info, which caused patch to not add the line "session include common-session" to /etc/pam.d/crond. This caused this issue and I've confirmed corrected patch fixes the issue (see package in http://download.opensuse.org/repositories/home:/fcrozat:/branches:/openSUSE:/12.2:/Update/openSUSE_12.2_Update/ in one hour).. requesting maintenance update mr 151104 I'll forward to Factory accepted This is an autogenerated message for OBS integration: This bug (801553) was mentioned in https://build.opensuse.org/request/show/151104 Maintenance / (In reply to comment #7) > after digging a little more, patch cronie-pam_config.diff had incorrect > "remove/added lines" info, which caused patch to not add the line "session > include common-session" to /etc/pam.d/crond. Tested by manually applying the patch to /etc/pam.d/crond - works :-) Thanks for fixing this! openSUSE-RU-2013:0268-1: An update that has one recommended fix can now be installed. Category: recommended (low) Bug References: 801553 CVE References: Sources used: openSUSE 12.2 (src): cronie-1.4.8-37.9.1 |