Bug#983817: cron: jobs don't get rights assigned by pam_group.so

Mon, 01 Mar 2021 16:00:18 -0800 

Package: cron
Version: 3.0pl1-136ubuntu1
Severity: normal


When a job is invoked from cron and the pam_group.so is configured to add 
supplementary groups it DOES NOT work as expected.

pam_group should provide membership based /etc/security/group.conf and it is 
working fine if you test with login or sudo.

After some tests I've compiled pam_group.so in DEBUG and I can confirm that 
pam_setcred in being called by cron and the module is adding the expected 
groups membership.

Then, checking do_command.c of cron I found there is need to call 
pam_setcred(pamh, PAM_REINITIALIZE_CRED | PAM_SILENT) after fork()



-- Package-specific info:
--- EDITOR:


--- /usr/bin/editor:
/usr/bin/nano

--- /usr/bin/crontab:
-rwxr-sr-x 1 root crontab 43720 Feb 13  2020 /usr/bin/crontab

--- /var/spool/cron:
drwxr-xr-x 5 root root 4096 Jul 31  2020 /var/spool/cron

--- /var/spool/cron/crontabs:
drwx-wx--T 2 root crontab 4096 Mar  1 15:18 /var/spool/cron/crontabs

--- /etc/cron.d:
drwxr-xr-x 2 root root 4096 Feb 24 15:23 /etc/cron.d

--- /etc/cron.daily:
drwxr-xr-x 2 root root 4096 Feb  3 17:45 /etc/cron.daily

--- /etc/cron.hourly:
drwxr-xr-x 2 root root 4096 Jul 31  2020 /etc/cron.hourly

--- /etc/cron.monthly:
drwxr-xr-x 2 root root 4096 Jul 31  2020 /etc/cron.monthly

--- /etc/cron.weekly:
drwxr-xr-x 2 root root 4096 Feb  3 17:45 /etc/cron.weekly


-- System Information:
Debian Release: bullseye/sid
  APT prefers focal-updates
  APT policy: (500, 'focal-updates'), (500, 'focal-security'), (500, 'focal'), 
(100, 'focal-backports')
Architecture: amd64 (x86_64)

Kernel: Linux 5.4.0-65-generic (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages cron depends on:
ii  adduser              3.118ubuntu2
ii  debianutils          4.9.1
ii  init-system-helpers  1.57
ii  libc6                2.31-0ubuntu9.2
ii  libpam-runtime       1.3.1-5ubuntu4.1
ii  libpam0g             1.3.1-5ubuntu4.1
ii  libselinux1          3.0-1build2
ii  lsb-base             11.1.0ubuntu2
ii  sensible-utils       0.0.12+nmu1

cron recommends no packages.

Versions of packages cron suggests:
pn  anacron                             <none>
pn  checksecurity                       <none>
pn  default-mta | mail-transport-agent  <none>
ii  logrotate                           3.14.0-4ubuntu3

Versions of packages cron is related to:
pn  libnss-ldap   <none>
pn  libnss-ldapd  <none>
pn  libpam-ldap   <none>
pn  libpam-mount  <none>
pn  nis           <none>
pn  nscd          <none>

-- no debconf information

Reply via email to