Debian Bug report logs - #662782
access.conf example causes cron job failures

Package: libpam-modules; Maintainer for libpam-modules is Sam Hartman <[email protected]>; Source for libpam-modules is src:pam (PTS, buildd, popcon).

Reported by: Daniel Pocock <[email protected]>

Date: Tue, 6 Mar 2012 10:42:02 UTC

Severity: normal

Found in version pam/1.1.1-6.1

Reply or subscribe to this bug.

Display info messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to [email protected], Steve Langasek <[email protected]>:
Bug#662782; Package libpam-modules. (Tue, 06 Mar 2012 10:42:05 GMT) (full text, mbox, link).

Acknowledgement sent to Daniel Pocock <[email protected]>:
New Bug report received and forwarded. Copy sent to Steve Langasek <[email protected]>. (Tue, 06 Mar 2012 10:42:06 GMT) (full text, mbox, link).

Message #5 received at [email protected] (full text, mbox, reply):

Package: libpam-modules
Version: 1.1.1-6.1

I decided to try pam_access.so and access.conf on a system to improve
security

I built my own access.conf based on the sample included in the package,
in particular, I ended my file with the same catch-all rule:

- : ALL : ALL

The next few days, I received errors from cron:

/etc/cron.daily/amavisd-new:
su: Permission denied
(Ignored)

I also had similar errors run running apt-get update on the machine

I've found that using a catch-all rule like this:

- : ALL : ALL EXCEPT LOCAL

may be more appropriate

Information forwarded to [email protected]:
Bug#662782; Package libpam-modules. (Tue, 06 Mar 2012 18:36:03 GMT) (full text, mbox, link).

Acknowledgement sent to Steve Langasek <[email protected]>:
Extra info received and forwarded to list. (Tue, 06 Mar 2012 18:36:03 GMT) (full text, mbox, link).

Message #10 received at [email protected] (full text, mbox, reply):

Hi Daniel,

On Tue, Mar 06, 2012 at 11:39:04AM +0100, Daniel Pocock wrote:
> I decided to try pam_access.so and access.conf on a system to improve
> security

> I built my own access.conf based on the sample included in the package,
> in particular, I ended my file with the same catch-all rule:

> - : ALL : ALL

> The next few days, I received errors from cron:

> /etc/cron.daily/amavisd-new:
> su: Permission denied
> (Ignored)

> I also had similar errors run running apt-get update on the machine

> I've found that using a catch-all rule like this:

> - : ALL : ALL EXCEPT LOCAL

> may be more appropriate

The access.conf that's shipped by default actually includes two examples,
the first of which does show the use of LOCAL.

Also, if you're seeing this error then presumably you've added pam_access to
/etc/pam.d/common-account - so of course it's going to apply to all
services, and requires some thought about whether the rules it's applying
are correct for all services.

I am unconvinced that any change to the example is actually warranted here;
but I would consider a patch if submitted.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
[email protected]                                     [email protected]

Information forwarded to [email protected], Steve Langasek <[email protected]>:
Bug#662782; Package libpam-modules. (Tue, 06 Mar 2012 22:51:04 GMT) (full text, mbox, link).

Acknowledgement sent to Daniel Pocock <[email protected]>:
Extra info received and forwarded to list. Copy sent to Steve Langasek <[email protected]>. (Tue, 06 Mar 2012 22:51:04 GMT) (full text, mbox, link).

Message #15 received at [email protected] (full text, mbox, reply):

> The access.conf that's shipped by default actually includes two examples,
> the first of which does show the use of LOCAL.

Yes, but the first example doesn't have a catch-all line at the end

For many people, it is tempting to have the final rule deny anything
they haven't explicitly got on the white list

> Also, if you're seeing this error then presumably you've added pam_access to
> /etc/pam.d/common-account - so of course it's going to apply to all
> services, and requires some thought about whether the rules it's applying
> are correct for all services.

That is correct - maybe I am paranoid, but I felt that just setting up
pam_access would mean that there may be some other attack vector that
remains open

So, my attitude is to have a catch-all deny rule, and to invoke
pam_access from common-account

> I am unconvinced that any change to the example is actually warranted here;
> but I would consider a patch if submitted.

I agree there is probably no perfect solution that will suit all users
of pam

However, it might be nice to just add this line at the end of the sample:

# All other users should be denied to get access from all sources.
#- : ALL : ALL
# As an alternative to the above, only apply the catch-all to
# non-local users (otherwise su commands within scripts and
# cron jobs may fail):
#- : ALL : ALL EXCEPT LOCAL

Send a report that this bug log contains spam.

Debian bug tracking system administrator <[email protected]>. Last modified: Tue May 13 13:51:22 2025; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Debian Bug report logs - #662782 access.conf example causes cron job failures

Debian Bug report logs - #662782
access.conf example causes cron job failures