Package: cron Version: 3.0pl1-136ubuntu1 Severity: normal
When a job is invoked from cron and the pam_group.so is configured to add supplementary groups it DOES NOT work as expected. pam_group should provide membership based /etc/security/group.conf and it is working fine if you test with login or sudo. After some tests I've compiled pam_group.so in DEBUG and I can confirm that pam_setcred in being called by cron and the module is adding the expected groups membership. Then, checking do_command.c of cron I found there is need to call pam_setcred(pamh, PAM_REINITIALIZE_CRED | PAM_SILENT) after fork() -- Package-specific info: --- EDITOR: --- /usr/bin/editor: /usr/bin/nano --- /usr/bin/crontab: -rwxr-sr-x 1 root crontab 43720 Feb 13 2020 /usr/bin/crontab --- /var/spool/cron: drwxr-xr-x 5 root root 4096 Jul 31 2020 /var/spool/cron --- /var/spool/cron/crontabs: drwx-wx--T 2 root crontab 4096 Mar 1 15:18 /var/spool/cron/crontabs --- /etc/cron.d: drwxr-xr-x 2 root root 4096 Feb 24 15:23 /etc/cron.d --- /etc/cron.daily: drwxr-xr-x 2 root root 4096 Feb 3 17:45 /etc/cron.daily --- /etc/cron.hourly: drwxr-xr-x 2 root root 4096 Jul 31 2020 /etc/cron.hourly --- /etc/cron.monthly: drwxr-xr-x 2 root root 4096 Jul 31 2020 /etc/cron.monthly --- /etc/cron.weekly: drwxr-xr-x 2 root root 4096 Feb 3 17:45 /etc/cron.weekly -- System Information: Debian Release: bullseye/sid APT prefers focal-updates APT policy: (500, 'focal-updates'), (500, 'focal-security'), (500, 'focal'), (100, 'focal-backports') Architecture: amd64 (x86_64) Kernel: Linux 5.4.0-65-generic (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages cron depends on: ii adduser 3.118ubuntu2 ii debianutils 4.9.1 ii init-system-helpers 1.57 ii libc6 2.31-0ubuntu9.2 ii libpam-runtime 1.3.1-5ubuntu4.1 ii libpam0g 1.3.1-5ubuntu4.1 ii libselinux1 3.0-1build2 ii lsb-base 11.1.0ubuntu2 ii sensible-utils 0.0.12+nmu1 cron recommends no packages. Versions of packages cron suggests: pn anacron <none> pn checksecurity <none> pn default-mta | mail-transport-agent <none> ii logrotate 3.14.0-4ubuntu3 Versions of packages cron is related to: pn libnss-ldap <none> pn libnss-ldapd <none> pn libpam-ldap <none> pn libpam-mount <none> pn nis <none> pn nscd <none> -- no debconf information