I'd like to ask you a question related to pam configuration for crond.
Under some circumstances we run systems with expired root password and due to various product specific reasons it is not possible to avoid that. In such case the cron daemon fails with the following two messages in the cron log till a new root password is set:
/usr/sbin/cron[28121]: (CRON) pam_message (Password change requested. Choose a new password.)
/usr/sbin/cron[28121]: Authentication token is no longer valid; new one required
That prevents logrotate from running and leads to a state when the /var partition is flooded with uncompressed product logs (eating few GB of disk space a day) and when the partition gets full, the services start failing.
I tried to play with the /etc/pam.d/crond config and the addition of the following line helped:
account sufficient pam_rootok.so
I also tested a second solution using the /etc/cron.allow file where the root account can be added to allow cron execution with expired root password:
account sufficient pam_listfile.so item=user sense=allow file=/etc/cron.allow _onerr_=succeed quiet
Are there any security risks of such modifications?
Thanks in advance for any anwer.
Best regards,
Jaromir Capik.
_______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list