Description of problem: if /etc/environment contains "mesg n" or "mesg -n" then all crontab commands run as root will fail indicating that root is not allowed to access crontab because of the pam configuration - selinux is permisive - default /etc/pam.d/crond file - custom /etc/pam.d/system-auth file - cron.allow contains root I believe that this is issue is being caused by BZ#249512 Version-Release number of selected component (if applicable): vixie-cron-4.1-81.el5 How reproducible: Steps to Reproduce: 1. # crontab -l 2. 3. Actual results: Bad Item Passed to pam_*_item() you (root)are not allowed to access to (crontab) because of pam configuration Expected results: scheduled jobs displayed Additional info: The DISA checklist for Unix/RHEL5 requires that "mesg n" or "mesg -n" be in /etc/environment. See V-825 or GEN001780.
Can you please attach the contents of your /etc/environment and /etc/pam.d/system-auth ?
Created attachment 569657 [details] /etc/environment
Created attachment 569659 [details] /etc/pam.d/system-auth-local The default symbolic link of system-auth pointing to system-ayth-ac was removed and replaced with system-auth pointing to system-auth-local.
Either drop the nonsensical 'mesg n' from the /etc/environment or change pam_env line in system-auth to be: auth [default=ignore] pam_env.so The /etc/environment is not read by anything else than pam_env nowadays and it does not make any sense to put there lines that are not in the name=value syntax. Basically your /etc/environment is broken and if DISA checklist explicitly mentions adding 'mesg n' to it, then it should be corrected.
(In reply to comment #4) > Either drop the nonsensical 'mesg n' from the /etc/environment or change > pam_env line in system-auth to be: > > auth [default=ignore] pam_env.so > > The /etc/environment is not read by anything else than pam_env nowadays and it > does not make any sense to put there lines that are not in the name=value > syntax. Basically your /etc/environment is broken and if DISA checklist > explicitly mentions adding 'mesg n' to it, then it should be corrected. Thank you.