(root) FAILED to authorize user with PAM (Permission denied)
I ended up rearranging my access.conf to the below. In a sense i put the cron entry as my second entry in the config file which seems to correctly set the permissions for root to accessing cron.
#
# Disallow non-root logins on tty1
#
#-:ALL EXCEPT root:tty1
#
# User "root" should be allowed to get access via cron .. tty5 tty6.
+ : root : cron crond :0 tty1 tty2 tty3 tty4 tty5 tty6
#
# Disallow console logins to all but a few accounts.
#
-:ALL EXCEPT wheel shutdown sync:LOCAL root
If someone knows but i suspect that permissions are built on how they are entered in the config. Even if you have permission via a entry in the config, if a line before that entry denies you access, it then overwrites the grant entry since it came first?
Related videos on Youtube
02 : 08
06 : 56
10 : 18
11 : 48
02 : 19
Comments
-
Govna over 1 year
When tailing /var/log/cron i noticed that the cron job is failing due to PAM permissions. In my access.conf i do have the following uncommented to make sure (or what i thought was making sure) that root did have permissions to run cron jobs.
# User "root" should be allowed to get access via cron .. tty5 tty6. + : root : cron crond :0 tty1 tty2 tty3 tty4 tty5 tty6I'm on Centos 7 Kernel 3.10.0-693.21.1.el7.x86_64, we have connected it to our Windows active directory instanc via realm, sssd, kerberos. My installations steps can be found here Best Auth Mech to Connect to Windows AD
Im at a loss at the moment and cant figure out what may be causing this. I double checked that roots password didn't expire and it had not. Current root access is configured though windows security groups.
Any help would be greatly appreciated!
EDIT I added debug to end of my pam_access.so and got the following
crond[17411]: pam_access(crond:account): login_access: user=root, from=cron, file=/etc/security/access.conf crond[17411]: pam_access(crond:account): line 60: - : ALL EXCEPT wheel shutdown sync : LOCAL root crond[17411]: pam_access(crond:account): list_match: list=ALL EXCEPT wheel shutdown sync, item=root crond[17411]: pam_access(crond:account): user_match: tok=ALL, item=root crond[17411]: pam_access(crond:account): string_match: tok=ALL, item=root crond[17411]: pam_access(crond:account): user_match: tok=wheel, item=root crond[17411]: pam_access(crond:account): string_match: tok=wheel, item=root crond[17411]: pam_access(crond:account): user_match: tok=shutdown, item=root crond[17411]: pam_access(crond:account): string_match: tok=shutdown, item=root crond[17411]: pam_access(crond:account): user_match: tok=sync, item=root crond[17411]: pam_access(crond:account): string_match: tok=sync, item=root crond[17411]: pam_access(crond:account): user_match=1, "root" crond[17411]: pam_access(crond:account): list_match: list=LOCAL root, item=root crond[17411]: pam_access(crond:account): from_match: tok=LOCAL, item=cron crond[17411]: pam_access(crond:account): string_match: tok=LOCAL, item=cron crond[17411]: pam_access(crond:account): from_match=1, "cron" crond[17411]: pam_access(crond:account): access denied for userroot' from `cron'-
Govna almost 6 yearsFor me to run as root, i login with my domain account, use
sudo -ito switch to root, enter my password and im root. When i runttyi get/dev/pst/#- I tried addingttyp*andptsandpts*into the access.conf but no luck. -
RainDoctor about 2 yearsAs your debug logs show that
- : ALL EXCEPT wheel shutdown sync : LOCAL rootis before+ : root : cron crond :0 tty1 tty2 tty3 tty4 tty5 tty6
-
-
Govna almost 6 yearsThanks for the reply, i don't have a cron.allow only a cron.deny but the were no entries so nothing was being denied. I found the arrangement of of my access.conf file was causing the permission denied.
