Red Hat Bugzilla – Bug 1479064
crontab(1) generates pam error "PAM pam_end: NULL pam handle passed"
Last modified: 2018-05-22 00:36:55 EDT
Description of problem: cron generates pam error: "PAM pam_end: NULL pam handle passed" Version-Release number of selected component (if applicable): cronie-1.4.11-17.el7.x86_64 pam-1.1.8-18.el7.x86_64 sudo-1.8.19p2-10.el7.x86_64 How reproducible: Every time. Steps to Reproduce: 1. Upgrade to RHEL 7.4 2. Cron/pam/sudo throws new errors. Actual results: /var/log/cron contains new entries, twice an hour: Aug 7 09:26:49 lab116x crontab[24982]: PAM pam_end: NULL pam handle passed Expected results: No logged entries complaining about NULL pam handles. Additional info: So far as I can tell, there are no cron jobs on any of these machines that run every 30 minutes. I see pointers in earlier versions of this error, notably on Arch and Debian bugfixes, that blame this on a problem in sudo, which is why I provided the sudo version. See: https://bbs.archlinux.org/viewtopic.php?id=129211 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=646478
Please report the issue through regular Red Hat support channels to help appropriately prioritizing the issue. https://www.redhat.com/support
Also we will need more information to investigate. I am unable to reproduce the issue here.
I have also found at least one of our RHEL 7 machines that took the upgrade and has not started generating errors. I will investigate further and see if I can find the difference.
The machine that was generating no errors had nothing in /var/spool/cron. All the machines that do generate errors have at least a root crontab separate from the /etc/cron.[timespan] directories. The vast majority of our RHEL 7 systems have at least a root crontab. When I edited one machine's crontab to delete every entry, but leave the empty file, I got more of the errors. I also got more errors when I outright deleted the machine's root crontab with 'crontab -r'. I have taken two machines that were generating errors, and changed them: one machine now has nothing at all in /var/spool/cron; the other has an empty root crontab in /var/spool/cron. I will see if either of them throws the errors over the next hour.
Further investigation: non-root crontabs do not trigger the error, nor does running crontab(1) as an ordinary user. Running crontab(1) as root to operate on an ordinary user's crontab does trigger the error.
It's been an hour, and both altered machines have produced no new errors. I'm putting their respective crontabs back and will see if the error recurs. Unless something extremely weird is going on, it is nigh unto certain that the 30 minute intervals are puppet using crontab as root to inspect the cron jobs it controls. So, ultimately, the proper description of the bug: 1) Run crontab(1) as root for any purpose. 2) Get a log entry as pasted above. This is new behavior in RHEL 7.4.
OK, this makes sense. So the severity is low because it is not logged from crond itself but only if crontab is called as root. Nevertheless it is a regression. So thanks for the investigation, but please still report the issue via the regular support channels if you can so we can properly prioritize the fix.
Opened case 1908249, https://access.redhat.com/support/cases/#/case/01908249.
Created attachment 1326358 [details] Do not call pam_end with NULL pamh This patch is part of an upstream commit that contains more changes not relevant to RHEL-7 cronie.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0738