How PAM’s access.conf Works: Debugging Cron Job Permission Issues


6 views

The /etc/security/access.conf file is read by the Pluggable Authentication Module (PAM) system, specifically by the pam_access.so module. This is part of Linux's authentication infrastructure that controls access to the system based on various rules.

# Example from /etc/pam.d/sshd showing pam_access usage
auth    required    pam_access.so    accessfile=/etc/security/access.conf

After modifying access.conf, whether you need to restart services depends on:

  • For existing login sessions: No restart needed - changes take effect for new sessions
  • For services: You'll need to restart the service using PAM (like sshd, cron, or login)

To confirm if access.conf is being used:

# Check which PAM-enabled services use pam_access
grep -r "pam_access" /etc/pam.d/

# Alternative: Check system logs for access denials
journalctl -f | grep "access denied"

For cron-related access issues, check:

# 1. Verify cron's PAM configuration
cat /etc/pam.d/crond

# 2. Example access.conf entry that might block cron jobs
-:ALL EXCEPT root cronuser:ALL

When troubleshooting:

# Enable debug logging temporarily
auth.debug /var/log/pam_debug.log

# Test specific access rules
pam_check_acct -a username -s cron

Common gotchas include:

  • Network-based rules (LOCAL keyword behavior)
  • Group membership evaluation timing
  • Interaction with other PAM modules in the stack

The /etc/security/access.conf file is a crucial configuration file in Linux systems that controls access permissions for various services. This PAM (Pluggable Authentication Modules) configuration file is primarily read by the pam_access.so module.


# Example access.conf entry
+ : root : cron crond
- : ALL : ALL

Several system services rely on this file for access control:

  • Login services (sshd, console login)
  • Cron daemon
  • su/sudo operations
  • Any service configured to use PAM with pam_access

To confirm whether the file is being used:


# Check PAM configuration for relevant services
grep pam_access /etc/pam.d/*

Example output for cron:


/etc/pam.d/crond:account    required     pam_access.so

Unlike many configuration files, changes to access.conf typically don't require a service restart. The PAM system checks the file in real-time. However, for some services like cron, you might need to:


# For cron specifically
systemctl restart crond

When debugging access problems:


# Test access rules directly
pam_access -f /etc/security/access.conf -u username -h hostname -s service

For your specific cron job issue, consider:


# Allow specific user for cron
+ : cronuser : cron crond

Remember to check system logs for authentication errors:


journalctl -f | grep -i pam_access

For complex scenarios, you can combine access.conf with other PAM modules:


# Example PAM stack combining multiple modules
account required pam_access.so
account required pam_time.so