HPE Community
Operating System - HP-UX
1833845 Members
2243 Online
110063 Solutions
New Discussion

Re: Cron and lockout accounts

 
Henry Cheung
Occasional Contributor

‎11-02-2009 10:33 AM

‎11-02-2009 10:33 AM

Cron and lockout accounts

It appeared that cron will execute user jobs even when lockout is flagged in the TCB. Is there a man page or document to confirm this behaviour ? I looked for a while but cannot come across any.

We have HP-UX 11.11

0 Kudos
Reply
8 REPLIES 8
OldSchool
Honored Contributor

‎11-02-2009 10:40 AM

‎11-02-2009 10:40 AM

Re: Cron and lockout accounts

I'd think it would behave that way, as cron doesn't login.

you could always create a dummy / test account, set up a test cron job (simple "date" should suffice), diable the account and see what happens.
0 Kudos
Reply
Henry Cheung
Occasional Contributor

‎11-02-2009 10:53 AM

‎11-02-2009 10:53 AM

Re: Cron and lockout accounts

I prefer a piece of written HP documentation to collaborate this HP-UX behaviour. As this is will be a gotcha for us multi-vendor unix sysadmin.
0 Kudos
Reply
OldSchool
Honored Contributor

‎11-02-2009 01:28 PM

‎11-02-2009 01:28 PM

Re: Cron and lockout accounts

hmmm...what you prefer and what is available may be disjoint.

what's to prevent *you* from observing behaviour AND THEN documenting the observed results???
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎11-02-2009 05:12 PM

‎11-02-2009 05:12 PM

Re: Cron and lockout accounts

cron never logs in because it is never interactive. cron is run as root and schedules processes on behalf of user IDs with crontab entries. The only time a user's login state is tested is when a user logs in or starts a batch shell.


Bill Hassell, sysadmin
0 Kudos
Reply
Johnson Punniyalingam
Honored Contributor

‎11-02-2009 08:19 PM

‎11-02-2009 08:19 PM

Re: Cron and lockout accounts

>>It appeared that cron will execute user jobs even when lockout is flagged in the TCB. Is there a man page or document to confirm this behaviour ? I looked for a while but cannot come across any.<<

No It will not >> It will result in cron.log<<,
has "BAD User" if your account got any problem
Problems are common to all, but attitude makes the difference
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎11-03-2009 06:51 AM

‎11-03-2009 06:51 AM

Re: Cron and lockout accounts

> No It will not >> It will result in cron.log<<,
> has "BAD User" if your account got any problem

Doesn't seem to be in cron, at least for 11.11. An administrator lock for a user ID still allows cron to schedule jobs for the user. Running strings on /usr/sbin/cron doesn't have the word "bad". This seems to be a Solaris feature.


Bill Hassell, sysadmin
0 Kudos
Reply
Johnson Punniyalingam
Honored Contributor

‎11-03-2009 06:56 AM

‎11-03-2009 06:56 AM

Re: Cron and lockout accounts

>> This seems to be a Solaris feature<<

Oops, my BAD - sorry for any inconvenience caused :(

Thanks >>Bill<< for correcting me :)
Problems are common to all, but attitude makes the difference
0 Kudos
Reply
Henry Cheung
Occasional Contributor

‎11-03-2009 07:20 AM

‎11-03-2009 07:20 AM

Re: Cron and lockout accounts

TCB is a complex extension.
getprpw(1M) indicate 7 lockout flags

1 past password lifetime
2 past last login time (inactive account)
3 past absolute account lifetime
4 exceeded unsuccessful login attempts
5 password required and a null password
6 admin lock
7 password is a *

I understand there are times we need accounts that are not meant to be login.

Perhaps for file ownerships.
Perhaps purely for the perpetual execution of scheduled jobs in less-than root privivlege.

My initial quest for documentation make sure I did not miss any configurable variables that can alter cron's behaviour.

I think cron should be more refine to check the lockout flag. E.g. for bit 3 and bit 6, IMO, cron should not continue running the user's cron. But then this is debatable and that is not my intention.

I shall live with what I got.
Thanks everyone.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.