Package: cron Version: cron_3.0pl1-105 Severity: normal Tags: patch Cron is supposed to honor environment variables as specified in /etc/environment and /etc/security/pam_env.conf, the supported methods of defining environment variables to be inherited by interactive logins as well as cron jobs, but it fails to do so.
The documentation, crontab(5) claims that it honors them: On the Debian GNU/Linux system, cron supports the pam_env module, and loads the environment specified by /etc/security/pam_env.conf. How- Unfortunately, the PAM configuration for cron does not accomplish this. The shipped /etc/pam.d/cron provides: auth required pam_env.so Howvever cron's use of pam does is not under the "auth" service, but rather under "session"; so this well-meaning configuration line is ignored. The patch to fix this is trivial: --- cron-3.0pl1.orig/debian/cron.pam 2009/01/13 00:00:00 1.1 +++ cron-3.0pl1.orig/debian/cron.pam 2009/01/13 02:29:21 @@ -3,7 +3,7 @@ # @include common-auth -auth required pam_env.so +session required pam_env.so @include common-account @include common-session # Sets up user limits, please define limits for cron tasks It appears that this line was added but not properly tested as part of cron 3.0pp11-78 in an attempt to close #203737 ("*Use the PAM environment settings, if so configured. (closes: #203737)", "Steve Greenland <stev...@debian.org> Sun, 14 Sep 2003 16:53:36 -0500"). Somewhat tangentially, it's a bit odd to me that the crontab(5) mentions /etc/pam.d/pam_env.conf but not /etc/environment. pam_env.so reads both, and I think for most users, the use of /etc/environment is more intuitive and straightforward. So perhaps it's also appropriate to update crontab(5): --- cron-3.0pl1.orig/crontab.5 2009/01/13 00:00:00 1.1 +++ cron-3.0pl1.orig/crontab.5 2009/01/13 02:30:03 @@ -84,6 +84,8 @@ On the Debian GNU/Linux system, cron supports the .B pam_env module, and loads the environment specified by +.IR /etc/environment +and .IR /etc/security/pam_env.conf . However, the PAM setting do .B NOT This bug was found under Ubuntu (cron_3.0pl1-100ubuntu2) but still exists under Debian (cron_3.0pl1-105); the above paths and patches are relative to Debian, though they apply to Ubuntu as well, though the first patch is against cron-3.0pl1/debian/cron/etc/pam.d/cron instead of cron-3.0pl1.orig/debian/cron.pam). -- System Information: Debian Release: lenny/sid APT prefers hardy-updates APT policy: (500, 'hardy-updates'), (500, 'hardy-security'), (500, 'hardy') Architecture: i386 (i686) Kernel: Linux 2.6.24-22-server (SMP w/1 CPU core) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/dash Versions of packages cron depends on: ii adduser 3.105ubuntu1 add and remove users and groups ii debianutils 2.28.2-0ubuntu1 Miscellaneous utilities specific t ii libc6 2.7-10ubuntu4 GNU C Library: Shared libraries ii libpam0g 0.99.7.1-5ubuntu6.1 Pluggable Authentication Modules l ii libselinux1 2.0.55-0ubuntu4 SELinux policy enforcement, run-ti ii lsb-base 3.2-4ubuntu1 Linux Standard Base 3.2 init scrip ii sysv-rc 2.86.ds1-14.1ubuntu45 System-V-like runlevel change mech Versions of packages cron recommends: ii sendmail-bin [mail-transp 8.14.2-2build1 powerful, efficient, and scalable -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org