(root) AUTH (crontab command not allowed)

[NeoIce]

so I'm using logcheck on Debian Etch. I ran BastilleInteractive over the system and _I believe_ I chose to restrict cron. all that did is 'echo root > /etc/cron.allow'

however, this causes syslog to fill up with messages like this:

Oct 18 06:25:02 thule /usr/bin/crontab[17935]: (root) AUTH (crontab command not allowed)

from 'man crontab'

If the /etc/cron.allow file exists, then you must be listed therein in order to be allowed to use this command. If the /etc/cron.allow file does not exist but the /etc/cron.deny file does exist, then you must not be listed in the /etc/cron.deny file in order to use this command. If neither of these files exists, then depending on site-dependent configuration parameters, only the super user will be allowed to use this command, or all users will be able to use this command. For standard Debian systems, all users may use this command.

Code:

root@thule:~# ls -l /etc/cron.allow 
-rw-r--r-- 1 root root 5 2008-10-18 08:15 /etc/cron.allow
root@thule:~# cat /etc/cron.allow 
root

I must be missing something simple. Google wasnt too helpful, said check permissions and cron.allow.

[NeoIce]

bump? I'm still getting these messages twice a day or so.

[aSmig]

I just ran into this issue after installing chkrootkit which does a daily 'crontab -lu nobody'. Of course, it took some monkeying to figure out that it was chkrootkit making the call. From crontab.c;

Code:

if (!allowed(User)) {
        fprintf(stderr,
                "You (%s) are not allowed to use this program (%s)\n",
                User, ProgramName);
        fprintf(stderr, "See crontab(1) for more information\n");
       log_it(RealUser, Pid, "AUTH", "crontab command not allowed");
       exit(ERROR_EXIT);

crontab.c from Google Codesearch

So it seems that if the user (specified with -u) isn't authorized to use crontab, then the caller (root) gets blamed for the bad call in syslog. Not especially informative. I wrapped /usr/bin/crontab with a quick hackish shell script to log the parent process and calling arguments;

Code:

#!/bin/sh
logger "crontab called by `ps -o comm= -p $PPID` with args $*"
exec /usr/bin/crontab-real $@

After running this for a day or two, the logs are a bit noisier, but it actually tells you what is going on. logcheck is already set up to ignore LIST log entries, so you can simply add users to cron.allow and unwrap crontab for normal clean logs. Oh, I also found that modifying the regex in /etc/logcheck/ignore.d.server/cron to include an optional '/usr/bin/' before crontab helps.

Code:

^\w{3} [ :0-9]{11} [._[:alnum:]-]+ (/usr/bin/)?crontab\[[0-9]+\]: \([[:alnum:]-]+\) LIST \([[:alnum:]-]+\)$