On Út, 2015-01-27 at 17:57 -0500, Brian Mathis wrote: > I've been working on configuring pam_access to restrict access to cron > jobs. There is an example config file included that contains this line: > #+ : root : cron crond :0 tty1 tty2 tty3 tty4 tty5 tty6 > > However, nowhere in the documentation is it explained where the strings > 'cron' and 'crond' come from. The origins field is specified as containing > tty names, host names, domain names, host addresses, internet network > numbers, internet network addresses with network mask, ALL, or LOCAL. > Nowhere is it mentioned that other things can be in there, such as for cron > is this the service name? > > I've looked through the source code in pam_access.c, and I'm not a C > programmer so it's hard to say, but I don't see anything specific to > 'cron', (like if this were a special case), nor anything about service > names (though "service" is mentioned on line 873). > > Can anyone explain where the "cron" part comes from? I can see this being > useful for controlling access to other things if it is clear how to use > it. I'm happy to submit documentation patches once it's been explained. > > > P.S. The example line above is also pretty bad since the :0 for X Windows > contains a ':', which is also the field separator, so it makes it look like > it's an additional undocumented forth field in the line, only adding more > confusion to the undocumented use of 'cron crond'. This is very simple. 1. As documented in the access.conf manpage the origin might be PAM_RHOST, PAM_TTY, or PAM_SERVICE. If PAM_RHOST is set, it is used, otherwise if PAM_TTY is set, it is used, otherwise PAM_SERVICE is used. 2. Crond (vixie-cron, cronie) sets PAM_TTY to 'cron'. GDM (and probably other display managers) sets PAM_TTY to ':0'. 3. The PAM_SERVICE for cron is 'crond'. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb (You'll never know whether the road is wrong though.) _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list