@reboot jobs don't start for sssd users
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
cron (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
How to reproduce:
* Have a sssd user with a @reboot task:
# crontab -lu sssd-user
@reboot date > /tmp/$LOGNAME-
* reboot
* the task was not started. look at systemctl logs:
# systemctl status cron
● cron.service - Regular background program processing daemon
Loaded: loaded (/lib/systemd/
Active: active (running) since jeu. 2016-06-16 17:58:15 CEST; 5min ago
Docs: man:cron(8)
Main PID: 931 (cron)
CGroup: /system.
└─931 /usr/sbin/cron -f
juin 16 17:58:15 hostname systemd[1]: Started Regular background program processing daemon.
juin 16 17:58:15 hostname cron[931]: (CRON) INFO (pidfile fd = 3)
juin 16 17:58:17 hostname cron[931]: (CRON) INFO (Running @reboot jobs)
juin 16 17:58:18 hostname CRON[1068]: pam_sss(
juin 16 17:58:19 hostname cron[931]: Le service d'authentification n'a pas pu récupérer les informations d'authentification
# systemctl status sssd.service
* sssd.service - System Security Services Daemon
Loaded: loaded (/lib/systemd/
Active: active (running) since Thu 2016-06-16 17:58:29 CEST; 7min ago
Process: 878 ExecStart=
Main PID: 1167 (sssd)
CGroup: /system.
|-1167 /usr/sbin/sssd -D -f
|-1168 /usr/lib/
|-1214 /usr/lib/
|-1215 /usr/lib/
`-1216 /usr/lib/
Jun 16 17:58:15 hostname systemd[1]: Starting System Security Services Daemon...
Jun 16 17:58:28 hostname sssd[1167]: Starting up
Jun 16 17:58:29 hostname sssd[be[1168]: Starting up
Jun 16 17:58:29 hostname systemd[1]: Started System Security Services Daemon.
Jun 16 17:58:29 hostname sssd[1216]: Starting up
Jun 16 17:58:29 hostname sssd[1215]: Starting up
Jun 16 17:58:29 hostname sssd[1214]: Starting up
As you can see, the @reboot jobs are started a few seconds before my sssd domain.
* How to fix it
Tell systemd to start cron after sssd.
File /lib/systemd/
After=sssd.service
This patch seems to have no effect on systems with no sssd service
CVE References
tags: | added: xenial |
This bug was fixed in the package cron - 3.0pl1-133ubuntu1
---------------
cron (3.0pl1-133ubuntu1) eoan; urgency=low
* Merge from Debian unstable. Remaining changes:
- debian/control:
+ Move MTA to Suggests field.
- d/cron.default: change to a deprecated message to make it clear
that the file is no longer in use.
* Dropped changes, no longer needed:
- Drop upstart system jobs; transition completed as of 18.04.
- Handle /etc/init.d/cron symlink→ real file transition; completed as of
18.04.
cron (3.0pl1-133) unstable; urgency=medium
* SECURITY: Fix bypass of /etc/cron. {allow, deny} on failure to open crond.reboot to /run/crond.reboot.
If these files exist, then they must be readable by the user executing
crontab(1). Users will now be denied by default if they aren't.
(LP: #1813833)
* SECURITY: Fix for possible DoS by use-after-free
A user reported a use-after-free condition in the cron daemon, leading to a
possible Denial-of-Service scenario by crashing the daemon.
(Closes: #809167)
* SECURITY: DoS: Fix unchecked return of calloc()
Florian Weimer discovered that a missing check for the return value of
calloc() could crash the daemon, which could be triggered by a very
large crontab created by a user.
* Enforce maximum crontab line count of 1000 to prevent a malicious user
from creating an excessivly large crontab. The daemon will log a warning
for existing files, and crontab(1) will refuse to create new ones.
* Add d/NEWS altering to the new 1000 lines limit.
* Move /var/run/
* crontab.5: Reverse the info on tilde expansion. When setting PATH, most
shells will not expand a tilde. Thanks, Tim Landscheidt, for the analysis.
(Closes: #801328)
* Fixes for numerous man page issues. Remove trailing whitespace, use proper
escapes, etc. Thanks, Bjarni Ingi Gislason! (Closes: #893575, #893579)
* crontab.1: Drop duplicate DIAGNOSTICS header.
* daemon: Only support the 'x' debug option in debug builds.
cron (3.0pl1-132) unstable; urgency=medium
[ Christian Kastner ]
* postinst: Properly test for regular file
cron.postinst checked for a regular file by parsing the stat output,
instead of simply relying on test(1)
* Mark package cron as Multi-Arch: foreign (Closes: #878363)
[ Stéphane Blondon ]
* Add forgotten '\n' to a line in the crontab header (Closes: #898119)
cron (3.0pl1-131) unstable; urgency=medium
[ Boyuan Yang ] dpkg/architectu re.mk to
* debian/control:
- Merge duplicated build-dependency entry for debhelper
- Update Vcs-* fields and use git repo under Salsa Debian group
(Closes: #913484)
- Add dependency to sensible-utils (Closes: #913483)
* debian/rules: Do not explicitly invoke dpkg-architecture for architecture
variables. Instead we are now using /usr/share/
provide them
[ Bjarni Ingi Gislason ]
* crontab.1: Some format fixes in the manual. (Closes: #893576)
[ Christian Kastner ] Root: no
* d/control:
- Switch Build-Depends from debhelper to debhelper-compat
- Add Rules-Requires-
We don't need (fake)root for building the package
- Drop ancient dpkg...