Re: pam_access origins field confusion (or missing documentation?)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Út, 2015-01-27 at 17:57 -0500, Brian Mathis wrote:
> I've been working on configuring pam_access to restrict access to cron
> jobs.  There is an example config file included that contains this line:
>     #+ : root : cron crond :0 tty1 tty2 tty3 tty4 tty5 tty6
> 
> However, nowhere in the documentation is it explained where the strings
> 'cron' and 'crond' come from.  The origins field is specified as containing
> tty names, host names, domain names, host addresses, internet network
> numbers, internet network addresses with network mask, ALL, or LOCAL.
> Nowhere is it mentioned that other things can be in there, such as for cron
> is this the service name?
> 
> I've looked through the source code in pam_access.c, and I'm not a C
> programmer so it's hard to say, but I don't see anything specific to
> 'cron', (like if this were a special case), nor anything about service
> names (though "service" is mentioned on line 873).
> 
> Can anyone explain where the "cron" part comes from?  I can see this being
> useful for controlling access to other things if it is clear how to use
> it.  I'm happy to submit documentation patches once it's been explained.
> 
> 
> P.S. The example line above is also pretty bad since the :0 for X Windows
> contains a ':', which is also the field separator, so it makes it look like
> it's an additional undocumented forth field in the line, only adding more
> confusion to the undocumented use of 'cron crond'.

This is very simple.
1. As documented in the access.conf manpage the origin might be
PAM_RHOST, PAM_TTY, or PAM_SERVICE. If PAM_RHOST is set, it is used,
otherwise if PAM_TTY is set, it is used, otherwise PAM_SERVICE is used.

2. Crond (vixie-cron, cronie) sets PAM_TTY to 'cron'. GDM (and probably
other display managers) sets PAM_TTY to ':0'.

3. The PAM_SERVICE for cron is 'crond'.

-- 
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb
(You'll never know whether the road is wrong though.)


_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list
[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux