Bug#204815: cron: fails when userid not in /etc/shadow

Sat, 24 Apr 2010 10:27:17 -0700 

Hello Evgeny,

this bug has been open for almost 7 years. I ran some tests, and I think
the underlying issue has been solved, one way or another (see below).

Evgeny Stambulchik wrote:
> Steve Greenland wrote:
>> On 10-Aug-03, 06:32 (CDT), Evgeny Stambulchik
>> <fnevg...@plasma-gate.weizmann.ac.il> wrote:
>>> A job assigned to a userid which isn't in /etc/shadow (though exists in
>>> /etc/passwd) isn't executed and no error is syslog'ed. If it matters: I
>>> use a mixed files/ldap nss config; the user doesn't exist in the LDAP
>>> DB either.
>>
>> And why do you think it should work? The shadow database is an intrinsic
>> part for (local) user identity. 
> 
> It's an authentication part, it has nothing to do with identity. I want
> to run a job under an unprivileged account, and all I need is a mapping
> between a username and an uid; /etc/passwd is completely adequate for
> this purpose. Notice I mean a cron job specified via a /etc/cron.d/
> script, not by crontab -u (the latter may probably need /etc/shadow to
> verify if an account is expired).

In fact, cron jobs in /etc/cron.d also check in /etc/shadow for password
expiry, etc. Looking at PAM's source code, this error appears to be
fatal (as in your case) only if the password field in /etc/passwd
contains an "x", in which case an entry MUST exist in /etc/shadow. This
is described in passwd(5).

I tested this with a sample entry in /etc/password:
   I)   testuser:x:10100:10100::/:/bin/bash
   II)  testuser:!:10100:10100::/:/bin/bash

The first entry produces the error you describe - the specified cron job
does not get executed. The second one, however, runs fine.

> I don't see why the result should be
> different from su - <username> -c [...] which works fine without the
> respective /etc/shadow entry.

I can't explain this one, either. Did you perhaps run su - c [...] as root?

>> If there's actually some documented reason that it should, though, then
>> it's either a libc or PAM problem.
> 
> Maybe. I can't tell for sure, but it seems it worked ok before upgrading
> to testing from stable.
> 
>> Do you get an error in auth.log from PAM?
> 
> As I said, no.

The current PAM version in sid (1.1.1-2) logs an Authentication error to
syslog.


Please let me know if you still have this issue or if I can close this bug.


Christian

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to