pam_succeed_if.so not worked correctly in auth stack of /etc/pam.d/crond

[masa-murayama]

I have a problem that pam_succeed_if.so always returns a error of ignore for auth stack in /etc/pam.d/crond.
I also found the pam setup in cron_start_pam() in src/security.c didn't call pam_authenticate().
So authentication in pam isn't executed correctly, I think.

It happened for CentOS6.8, CentOS7.3. and CentOS7.8.

To duplicate the issue, I used crontab -l command invoked by not root user.
When root user invoked crontab, it didn't use the pam.

thanks,

[t8m]

crond or crontab does not invoke pam_authenticate at all. That is by design.

[masa-murayama]

Thank you very much for your quick response.
As crond or crontab don't invoke pam_authenticate(), it does not need to include the auth stack in password-auth file and/or system-auth file.
So, I changed the auth stack in /etc/pam.d/crond below.

#auth include system-auth
auth required pam_permit.so

It worked for me even if I used pam_succeed_if.so in password-auth and/or system-auth. Many thanks.
-masa

[t8m]

There is a reason the auth stack is included - that is for pam_setcred() call which uses the auth stack.
Not sure if it makes much sense for crontab, but for crond, that is needed.

[masa-murayama]

thank you very much for your response.
I copied the original auth stack of system-auth into crond not to change the behaivior of pam_setcred():

#auth include system-auth
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so

It seems to work for me.