[20150821]cron使用问题.txt

[20150821]cron使用问题.txt

--昨天检查服务器发现一个shell脚本，使用cron调用，但是很奇怪，无法执行。
--我检查/var/log/cron发现：

Aug 21 11:28:01 dm01dbadm01 crond[109288]: CRON (oracle) ERROR: failed to open PAM security session: Success
Aug 21 11:28:01 dm01dbadm01 crond[109288]: CRON (oracle) ERROR: cannot set security context
Aug 21 11:29:01 dm01dbadm01 crond[110554]: Authentication token is no longer valid; new one required
Aug 21 11:29:01 dm01dbadm01 crond[110554]: CRON (oracle) ERROR: failed to open PAM security session: Success
Aug 21 11:29:01 dm01dbadm01 crond[110554]: CRON (oracle) ERROR: cannot set security context
Aug 21 11:30:01 dm01dbadm01 crond[112190]: Authentication token is no longer valid; new one required
Aug 21 11:30:01 dm01dbadm01 crond[112190]: CRON (oracle) ERROR: failed to open PAM security session: Success
Aug 21 11:30:01 dm01dbadm01 crond[112190]: CRON (oracle) ERROR: cannot set security context

--什么问题！百度看了一下：

http://blog.itpub.net/751371/viewspace-1062511/

--原来是口令到期的问题。

#  egrep  '^root|oracle' /etc/shadow
root:$XXXXXXXXXXX:14132:0:99999:7:::
oracle:$XXXXXXXXXXX:16353:1:90:7:::

# man shadow

DESCRIPTION
       shadow manipulates the contents of the shadow password file, /etc/shadow. The structure in the #include file is:

          struct spwd {
                char          *sp_namp; /* user login name */
                char          *sp_pwdp; /* encrypted password */
                long int      sp_lstchg; /* last password change */
                long int      sp_min; /* days until change allowed. */
                long int      sp_max; /* days before change required */
                long int      sp_warn; /* days warning for expiration */
                long int      sp_inact; /* days before account inactive */
                long int      sp_expire; /* date when account expires */
                unsigned long int  sp_flag; /* reserved for future use */
          }

       The meanings of each field are:

       . sp_namp - pointer to null-terminated user name
       . sp_pwdp - pointer to null-terminated password
       . sp_lstchg - days since Jan 1, 1970 password was last changed
       . sp_min - days before which password may not be changed
       . sp_max - days after which password must be changed
       . sp_warn - days before password is to expire that user is warned of pending password expiration
       . sp_inact - days after password expires that account is considered inactive and disabled
       . sp_expire - days since Jan 1, 1970 when account will be disabled
       . sp_flag - reserved for future use

--估计一些版本使用了安全加固的原因。或者是前一阵子搞安全加固，加入的东西，TMD也不相互通气，更没人检查哎！

#  grep "^PASS_" /etc/login.defs
PASS_MAX_DAYS   90
PASS_MIN_DAYS   1
PASS_MIN_LEN    8
PASS_WARN_AGE   7

--修改口令后。
#  passwd oracle

--延长1点时间，避免再次出现问题。
#  passwd -x 999 oracle
Adjusting aging data for user oracle.
passwd: Success

#  egrep  '^root|oracle' /etc/shadow
root:xxxxxxxxxxxl:14132:0:99999:7:::
oracle:XXXXXXXXXXX:16668:1:999:7:::

--再次检查/var/log/cron正常！

Aug 21 11:54:01 dm01dbadm01 crond[13926]: CRON (oracle) ERROR: cannot set security context
Aug 21 11:55:01 dm01dbadm01 crond[15566]: (oracle) CMD (/home/oracle/bin/xxx.sh  > /dev/null 2>&1)