Crond session, pam_access and pam_systemd

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello,
Using systemd-239 on CentOS 8.2 I'm trying to figure out what exactly happens when a cron "session" is created. In particular, what corresponds to the following error messages I get while running a user crontab :
2020-10-12T14:27:01.031334+02:00 maestro-orbit systemd: pam_access(systemd-user:account): access denied for user `toto' from `systemd-user'
2020-10-12T14:27:01.036959+02:00 maestro-orbit crond[135956]: pam_systemd(crond:session): Failed to create session: Start job for unit user@1000.service failed with 'failed' 

- What I'm doing :

ssh to the host, sudo -u toto, crontab -e, exit

so when toto's crontab gets executed toto has no running sessions

- access.conf, for cron, has the line

+:ALL:cron crond

- If, I add

+:toto:systemd-user

the error messages do not occur anymore.
My understanding is that for an standard logged-in user, pam_systemd registers the user sessions to systemd-logind and each logged-in user has a user slice holding all his session's scopes plus an init scope holding a user@<uid>.service which in turns holds at least a user instance of systemd (systemd --user) and "sd-pam". 

So my questions are:

- what is sd-pam ?
- is a crond session different from a user session ?
- what pam service name does crond use ?
- what does the first error message refers to and why does the systemd-user pam service name get passed ? and by which systemd (system or user) ? - what is the failing systemd job the second message refers to ? Does this mean that the crond "session" gets created by the systemd --user instance (as some gnome apps in other contexts for instance) ? 
- does the line I added to access.conf makes sense at all ?
I also noticed that if the user gets lingered there is no such error message (which makes me think about the creation of the crond session through the systemd --user instance running a job) 

Thanks for your help and sorry for the confusion

--
Thomas HUMMEL
_______________________________________________
systemd-devel mailing list
systemd-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
[Index of Archives]     [LARTC]     [Bugtraq]     [Yosemite Forum]     [Photo]

  Powered by Linux