Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 18 Jun 2007 14:06:22 +0400
From:      Yar Tikhiy <yar@comp.chem.msu.su>
To:        LI Xin <delphij@delphij.net>
Cc:        cvs-src@FreeBSD.ORG, src-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG
Subject:   Re: cvs commit: src/etc/pam.d Makefile cron src/usr.sbin/cron/cron Makefile cron.8 cron.h database.c do_command.c src/usr.sbin/cron/lib Makefile entry.c
Message-ID:  <20070618100622.GV30493@comp.chem.msu.su>
In-Reply-To: <4676564E.6060105@delphij.net>
References:  <200706171725.l5HHPr2c092609@repoman.freebsd.org> <46764262.1060408@delphij.net> <4676564E.6060105@delphij.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Mon, Jun 18, 2007 at 05:54:22PM +0800, LI Xin wrote:
> LI Xin wrote:
> > Hi,
> > 
> > Yar Tikhiy wrote:
> >> yar         2007-06-17 17:25:53 UTC
> >>
> >>   FreeBSD src repository
> >>
> >>   Modified files:
> >>     etc/pam.d            Makefile 
> >>     usr.sbin/cron/cron   Makefile cron.8 cron.h database.c 
> >>                          do_command.c 
> >>     usr.sbin/cron/lib    Makefile entry.c 
> >>   Added files:
> >>     etc/pam.d            cron 
> >>   Log:
> >>   Add PAM support to cron(8).  Now cron(8) will skip commands scheduled
> >>   by unavailable accounts, e.g., those locked, expired, not allowed in at
> >>   the moment by nologin(5), or whatever, depending on cron's pam.conf(5).
> >>   This applies to personal crontabs only, /etc/crontab is unaffected.
> > 
> > This will silently break a lot of ports, for instance mail/mailman,
> > which creates nologin(5) users with crontab entry.  Can we for now
> > (because we are near a new release) try not disabling nologin(5) users,
> > and discuss a better solution?
> > 
> > A possible alternative is to make a pam_ftpusers(8) alike PAM module
> > which is marked as "sufficient" and explicitly pass /var/cron/allow
> > users (especially ports) to override the policy.
> 
> Thanks to ru@, I should have noticed that nologin(5) is different from
> nologin(8) and this would not affect ports installations.
> 
> Sorry for the confusion.

Thank you for raising this issue!  It clearly deserved an explanation.

-- 
Yar

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070618100622.GV30493>