Description of problem: rhel4 introduced a modified pam config file for vixie-cron that added pam_access account checking. This caused a handful of cronjobs on restricted shell servers (restricted by pam_access) to fail. There was no warning from rpm that the pam config file changed between vixie-cron versions :( Version-Release number of selected component (if applicable): vixie-cron-4.1-36.EL4 How reproducible: 100% Steps to Reproduce: use pam_access to restrict login to a shell server. Administratively add a crontab either in /etc/cron.d or as a user for which the user is denied in the access.conf file. cronjob will fail. This is a simple case of 'my cronjobs stopped running on my batch job server after applying u2'.
The vixie-cron update in U2 allowed the pam_access module to be used : Bug 163882 - whereas before, it could not be. In addition, the /etc/pam.d/crond file HAD to be changed in U2 to enable the pam_loginuid module for CAPP/EAL3 certification. There is no way that users could have been notified of this change - sorry. One of the main reasons for enabling PAM authentication for cron was give admins the ability to restrict access to the cron service to certain users / groups, and the way this is done with PAM is with pam_access. You should not deny all access to all ttys in access.conf - access should be granted per-terminal / service, so you could have an access.conf like: -:ALL EXCEPT root:ALL EXCEPT LOCAL cron +:ALL:cron Other solutions are to remove the 'account required pam_access.so' from /etc/pam.d/cron, or to add a cron specific access.conf file: 'account required pam_access.so accessfile=/etc/security/cron_access.conf' Or to add an sshd specific access file to /etc/pam.d/sshd: 'account required pam_access.so accessfile=/etc/security/sshd_access.conf' Many other services use pam_access, and you should not deny all services in the global access.conf, but should restrict access per-service. You've already modified the default access.conf and sshd pam configuration files - all the pam configuration files and access.conf files are meant to be user configurable. This problem does not occur with the default pam configuration and access.conf files as shipped with RHEL-4-U2. We cannot guarantee that all user-modified configurations will always work :-) . This is NOTABUG, as nothing within the vixie-cron package caused this problem , and it is not a problem with the default configuration.