cron and expired root password
Jaromír Cápík
jaromir.capik at email.cz
Tue Jan 10 12:01:09 UTC 2017
Hello everyone.
I'd like to ask you a question related to pam configuration for crond.
Under some circumstances we run systems with expired root password and due
to various product specific reasons it is not possible to avoid that. In
such case the cron daemon fails with the following two messages in the cron
log till a new root password is set:
/usr/sbin/cron[28121]: (CRON) pam_message (Password change requested.
Choose a new password.)
/usr/sbin/cron[28121]: Authentication token is no longer valid; new one
required
That prevents logrotate from running and leads to a state when the /var
partition is flooded with uncompressed product logs (eating few GB of disk
space a day) and when the partition gets full, the services start failing.
I tried to play with the /etc/pam.d/crond config and the addition of the
following line helped:
account sufficient pam_rootok.so
I also tested a second solution using the /etc/cron.allow file where the
root account can be added to allow cron execution with expired root
password:
account sufficient pam_listfile.so item=user sense=allow file=/etc/
cron.allow onerr=succeed quiet
Are there any security risks of such modifications?
Thanks in advance for any anwer.
Best regards,
Jaromir Capik.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pam-list/attachments/20170110/3e98cb1b/attachment.htm>
More information about the Pam-list
mailing list