Access Control causes crontab not functions correctly.

book

Article ID: 143928

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM) CA Privileged Access Manager - Cloakware Password Authority (PA) PAM SAFENET LUNA HSM CA Privileged Access Manager - Server Control (PAMSC)

Issue/Introduction

At the console the user receives this message: 


   You (tibco) are not allowed to access to (crontab) because of pam configuration.


seaudit log shows a denial based on the Surrogate rule indicating no such rule

   28 Jan 2020 14:46:16 D SURROGATE    tibco      Read       69  2 USER.root            /usr/bin/crontab     lvntest004437 (OS user)        tibco

 

Cause

seos protects UID impersonation through the SURROGATE rule. The crontab executable uses a SETUID flag to allow users to use cron jobs as root user. This change in the UID is flaged and protected

 

[[email protected] ~]$ ls -la /usr/bin/crontab

-rwsr-xr-x. 1 root root 57664 Nov  5  2018 /usr/bin/crontab

Environment

Release : 12.8, 14.0, 14.1

Component : PRIVILEGED ACCESS MANAGEMENT SC 

Resolution

Add a rule for all users. This does not override any system rules,

authorize SURROGATE ('USER.root') access(READ) id('*') via(pgm('/usr/bin/crontab*'))