Page 1 of 1

Can not create cron entry from CGI running under Apache

Posted: 2020/06/07 10:54:05
by muebel
Hi support team

I'm trying to create a crontab entry for the user "apache" from a CGI script executed by the Apache web server with SELinux enabled.

The command I try to execute is something like:

/bin/echo '01 01 * * * echo "TEST"' | /bin/crontab -

CentOS Linux release 8.1.1911 (Core) - fresh install (older version are also affected).

SELinux policy was adapted - no deny messages in the audit.log

With SELinux disabled it is working, the crontab entry is correctly created.

The return message from the crontab command is:
You (apache) are not allowed to access to (crontab) because of pam configuration

I already tried the following without success:

1) Adding the following line to /etc/security/access.conf

+ : apache : cron crond :0 tty1 tty2 tty3 tty4 tty5 tty6

2) setsebool -P allow_httpd_mod_auth_pam 1

3) Changes in /etc/pam.d/cron

Here some additional information:

In /var/log/cron appears the following message:

Jun 7 09:46:30 centos8 crontab[17059]: (apache) PAM ERROR (System error)

$ sudo chage -l apache
Last password change : Jun 07, 2020
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : -1
Maximum number of days between password change : -1
Number of days of warning before password expires : -1

$ sudo grep apache /etc/shadow

From a CLI I can execute the command crontab for apache:
$ sudo crontab -u apache -l
no crontab for apache

/etc/cron.deny has not entries
/etc/cron.allow does not exist

$ sudo getenforce

$ sudo cat /var/log/audit/audit.log | audit2allow -m test > test.te
$ cat test.te

module test 1.0;


I also tried on Fedora 32. Same problem.
On Fedora there appear this messages in the cron log:

Jun 2 20:38:16 fedora32 crontab[6951]: PAM audit_log_acct_message() failed: Permission denied
Jun 2 20:38:16 fedora32 crontab[6951]: (apache) PAM ERROR (System error)