Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Description of problem: cron generates pam error: "PAM pam_end: NULL pam handle passed"
Version-Release number of selected component (if applicable):
cronie-1.4.11-17.el7.x86_64
pam-1.1.8-18.el7.x86_64
sudo-1.8.19p2-10.el7.x86_64
How reproducible:
Every time.
Steps to Reproduce:
1. Upgrade to RHEL 7.4
2. Cron/pam/sudo throws new errors.
Actual results:
/var/log/cron contains new entries, twice an hour:
Aug 7 09:26:49 lab116x crontab[24982]: PAM pam_end: NULL pam handle passed
Expected results:
No logged entries complaining about NULL pam handles.
Additional info:
So far as I can tell, there are no cron jobs on any of these machines that run every 30 minutes.
I see pointers in earlier versions of this error, notably on Arch and Debian bugfixes, that blame this on a problem in sudo, which is why I provided the sudo version. See:
https://bbs.archlinux.org/viewtopic.php?id=129211https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=646478
I have also found at least one of our RHEL 7 machines that took the upgrade and has not started generating errors. I will investigate further and see if I can find the difference.
The machine that was generating no errors had nothing in /var/spool/cron. All the machines that do generate errors have at least a root crontab separate from the /etc/cron.[timespan] directories. The vast majority of our RHEL 7 systems have at least a root crontab.
When I edited one machine's crontab to delete every entry, but leave the empty file, I got more of the errors. I also got more errors when I outright deleted the machine's root crontab with 'crontab -r'.
I have taken two machines that were generating errors, and changed them: one machine now has nothing at all in /var/spool/cron; the other has an empty root crontab in /var/spool/cron. I will see if either of them throws the errors over the next hour.
Further investigation: non-root crontabs do not trigger the error, nor does running crontab(1) as an ordinary user. Running crontab(1) as root to operate on an ordinary user's crontab does trigger the error.
It's been an hour, and both altered machines have produced no new errors. I'm putting their respective crontabs back and will see if the error recurs.
Unless something extremely weird is going on, it is nigh unto certain that the 30 minute intervals are puppet using crontab as root to inspect the cron jobs it controls.
So, ultimately, the proper description of the bug:
1) Run crontab(1) as root for any purpose.
2) Get a log entry as pasted above.
This is new behavior in RHEL 7.4.
OK, this makes sense. So the severity is low because it is not logged from crond itself but only if crontab is called as root. Nevertheless it is a regression.
So thanks for the investigation, but please still report the issue via the regular support channels if you can so we can properly prioritize the fix.
Created attachment 1326358[details]
Do not call pam_end with NULL pamh
This patch is part of an upstream commit that contains more changes not relevant to RHEL-7 cronie.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2018:0738