[20150821]cron使用问题.txt
--昨天检查服务器发现一个shell脚本,使用cron调用,但是很奇怪,无法执行。
--我检查/var/log/cron发现:
Aug 21 11:28:01 dm01dbadm01 crond[109288]: CRON (oracle) ERROR: failed to open PAM security session: Success
Aug 21 11:28:01 dm01dbadm01 crond[109288]: CRON (oracle) ERROR: cannot set security context
Aug 21 11:29:01 dm01dbadm01 crond[110554]: Authentication token is no longer valid; new one required
Aug 21 11:29:01 dm01dbadm01 crond[110554]: CRON (oracle) ERROR: failed to open PAM security session: Success
Aug 21 11:29:01 dm01dbadm01 crond[110554]: CRON (oracle) ERROR: cannot set security context
Aug 21 11:30:01 dm01dbadm01 crond[112190]: Authentication token is no longer valid; new one required
Aug 21 11:30:01 dm01dbadm01 crond[112190]: CRON (oracle) ERROR: failed to open PAM security session: Success
Aug 21 11:30:01 dm01dbadm01 crond[112190]: CRON (oracle) ERROR: cannot set security context
--什么问题!百度看了一下:
http://blog.itpub.net/751371/viewspace-1062511/
--原来是口令到期的问题。
# egrep '^root|oracle' /etc/shadow
root:$XXXXXXXXXXX:14132:0:99999:7:::
oracle:$XXXXXXXXXXX:16353:1:90:7:::
# man shadow
DESCRIPTION
shadow manipulates the contents of the shadow password file, /etc/shadow. The structure in the #include file is:
struct spwd {
char *sp_namp; /* user login name */
char *sp_pwdp; /* encrypted password */
long int sp_lstchg; /* last password change */
long int sp_min; /* days until change allowed. */
long int sp_max; /* days before change required */
long int sp_warn; /* days warning for expiration */
long int sp_inact; /* days before account inactive */
long int sp_expire; /* date when account expires */
unsigned long int sp_flag; /* reserved for future use */
}
The meanings of each field are:
. sp_namp - pointer to null-terminated user name
. sp_pwdp - pointer to null-terminated password
. sp_lstchg - days since Jan 1, 1970 password was last changed
. sp_min - days before which password may not be changed
. sp_max - days after which password must be changed
. sp_warn - days before password is to expire that user is warned of pending password expiration
. sp_inact - days after password expires that account is considered inactive and disabled
. sp_expire - days since Jan 1, 1970 when account will be disabled
. sp_flag - reserved for future use
--估计一些版本使用了安全加固的原因。或者是前一阵子搞安全加固,加入的东西,TMD也不相互通气,更没人检查哎!
# grep "^PASS_" /etc/login.defs
PASS_MAX_DAYS 90
PASS_MIN_DAYS 1
PASS_MIN_LEN 8
PASS_WARN_AGE 7
--修改口令后。
# passwd oracle
--延长1点时间,避免再次出现问题。
# passwd -x 999 oracle
Adjusting aging data for user oracle.
passwd: Success
# egrep '^root|oracle' /etc/shadow
root:xxxxxxxxxxxl:14132:0:99999:7:::
oracle:XXXXXXXXXXX:16668:1:999:7:::
--再次检查/var/log/cron正常!
Aug 21 11:54:01 dm01dbadm01 crond[13926]: CRON (oracle) ERROR: cannot set security context
Aug 21 11:55:01 dm01dbadm01 crond[15566]: (oracle) CMD (/home/oracle/bin/xxx.sh > /dev/null 2>&1)