https://bugzilla.wikimedia.org/show_bug.cgi?id=36206
Web browser: ---
Bug #: 36206
Summary: system users can't run cron jobs due to access.conf
Product: Wikimedia Labs
Version: unspecified
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: Unprioritized
Component: Setup
AssignedTo: [email protected]
ReportedBy: [email protected]
CC: [email protected]
Classification: Unclassified
Mobile Platform: ---
in labs, if you create a new system user via puppet, in a class
applied to your instance, and then add cron jobs into this user's
crontab, this does not mean they are executed yet.
you will see the jobs with "crontab -u <user> -l", you will be able to
execute the exact commands,
also as that user with sudo, like "sudo -u <user> -s
"/full/path/command/from/crontab foo" and that will work,
but they will not be executed due to access.conf
if you check auth.log you will see "CRON[22045]:
pam_access(cron:account): access denied for user `foo' from `cron'"
this is for security and config in /etc/security/access.conf
it looks like this:
# Disallow access to all forms of login to all
# users except for members of the nova project
# that this instance is a member of:
-:ALL EXCEPT (project-foo) root:ALL
and since "crond" is a form of login in this context, it disallows
users who are not in the "project-foo" group.
This file should not be changed manually though, it is defined in puppet
ldap.pp
/puppet/templates/ldap/access.conf.erb
So either make (system) users members of the project- group (but we can't add
them to this group via puppet)
or make changes to access.conf.erb, "crond" can be allowed seperately from
other forms of login
--
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
