Bug 1169175

Summary: Can't remove crontab from expired accounts
Product: Red Hat Enterprise Linux 7 Reporter: John Newbigin <jn>
Component: cronieAssignee: Tomas Mraz <tmraz>
Status: CLOSED ERRATA QA Contact: Karel Volný <kvolny>
Severity: low Docs Contact:
Priority: low    
Version: 7.0CC: kvolny, todoleza
Target Milestone: rc   
Target Release: 7.4   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: cronie-1.4.11-16.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 12:22:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description John Newbigin 2014-12-01 00:11:23 UTC 
Description of problem:
There is no method to remove the crontab of an expired account

Version-Release number of selected component (if applicable):
cronie-1.4.4-12.el6.x86_64

How reproducible:
Every time

Steps to Reproduce:
1. useradd crontest
2. echo '* * * * * echo test' | crontab -u crontest -
3. chage -E 1 crontest
4. crontab -u crontest -r

Actual results:
User account has expired
You (crontest) are not allowed to access to (crontab) because of pam configuration.

Expected results:
(No output = success) It is expected that root can list, edit, delete all crontabs at any time.

Additional info:
Seems to be a design flaw in the way PAM is used by crontab.
Because crond and crontab use the same PAM config, it is not safe to add a uid=0 check.

There may be another easy way to configure PAM to enable this.

As a workaround, the account can be un-expired. This is not desirable because the cronjob may run between the user being un-expired and the crontab being removed.
Comment 2 Tomas Mraz 2014-12-01 11:56:16 UTC 
crontab should simply bypass the PAM checks if run as root.
Comment 3 Tomas Mraz 2014-12-01 12:00:20 UTC 
The proper workaround is to remove the crontab directly with rm.
'rm /var/spool/cron/crontest'
Comment 4 Tomas Mraz 2016-06-09 12:00:09 UTC 
Moving to RHEL-7.
Comment 8 errata-xmlrpc 2017-08-01 12:22:34 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2061