Public bug reported: When a job is invoked from cron and the pam_group.so is configured to add supplementary groups it DOES NOT work as expected.
pam_group should provide membership based /etc/security/group.conf and it is working fine if you test with login or sudo. After some tests I've compiled pam_group.so in DEBUG and I can confirm that pam_setcred in being called by cron and the module is adding the expected groups membership. Then, checking do_command.c of cron I found there is need to call pam_setcred(pamh, PAM_REINITIALIZE_CRED | PAM_SILENT) after fork() the final patch should be something like #if defined(USE_PAM) if (pamh != NULL) { pam_setcred(pamh, PAM_REINITIALIZE_CRED | PAM_SILENT); } #endif ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: cron 3.0pl1-136ubuntu1 ProcVersionSignature: Ubuntu 5.4.0-65.73-generic 5.4.78 Uname: Linux 5.4.0-65-generic x86_64 ApportVersion: 2.20.11-0ubuntu27.16 Architecture: amd64 CasperMD5CheckResult: pass Date: Mon Mar 1 15:49:42 2021 InstallationDate: Installed on 2021-01-21 (39 days ago) InstallationMedia: Ubuntu-Server 20.04.1 LTS "Focal Fossa" - Release amd64 (20200731) ProcEnviron: TERM=xterm PATH=(custom, no user) XDG_RUNTIME_DIR=<set> LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: cron UpgradeStatus: No upgrade log present (probably fresh install) ** Affects: cron (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug focal uec-images -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1917350 Title: cron not honoring pam_group.so groups To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cron/+bug/1917350/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs