From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: EXT :Re: RedHat 6 Testing
Date: Fri, 25 Mar 2011 17:38:21 -0400
Message-ID: <201103251738.21527.sgrubb@redhat.com>
References: <5CB21FE316752445AF212D47C8BE56110A19C415@XMBVAG75.northgrum.com>
	<201103251215.18175.sgrubb@redhat.com>
	<5CB21FE316752445AF212D47C8BE56110A19C4B0@XMBVAG75.northgrum.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <5CB21FE316752445AF212D47C8BE56110A19C4B0@XMBVAG75.northgrum.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: "Boyce, Kevin P (AS)" <Kevin.Boyce@ngc.com>
Cc: "linux-audit@redhat.com" <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

On Friday, March 25, 2011 02:53:34 pm Boyce, Kevin P (AS) wrote:
> The ausearch records root as the UID.
> 
> The cat command returns a UID of 1386 which is my ldap account UID.
> 
> Is there a way to prevent cron from inheriting my session (perhaps by
> removing the session line in /etc/pam.d/crond)?

If you restarted the daemon, then it literally inherited your credentials and 
environment. The fix for this is rebooting the machine. This only happens if you 
restart sshd, crond, gdm, kdm, xdm since sessions start with them.

-Steve