[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

cron and expired root password

Hello everyone.

I'd like to ask you a question related to pam configuration for crond.

Under some circumstances we run systems with expired root password and due to various product specific reasons it is not possible to avoid that. In such case the cron daemon fails with the following two messages in the cron log till a new root password is set:

  /usr/sbin/cron[28121]: (CRON) pam_message (Password change requested. Choose a new password.)
  /usr/sbin/cron[28121]: Authentication token is no longer valid; new one required

That prevents logrotate from running and leads to a state when the /var partition is flooded with uncompressed product logs (eating few GB of disk space a day) and when the partition gets full, the services start failing.

I tried to play with the /etc/pam.d/crond config and the addition of the following line helped:

  account  sufficient     pam_rootok.so

I also tested a second solution using the /etc/cron.allow file where the root account can be added to allow cron execution with expired root password:

  account  sufficient     pam_listfile.so item=user sense=allow file=/etc/cron.allow quiet

Are there any security risks of such modifications?

Thanks in advance for any anwer.

Best regards,
Jaromir Capik.

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]