Still OT, but: you can suppress the PAM spam by editing /etc/pam.d/common-session-pc : add the following _before_ the "session required pam_unix.so" line: session [success=1 default=ignore] pam_succeed_if.so quiet use_uid service in crond user ingroup root which means: - when success then skip one line (the pam_unix one), otherwise ignore - be quiet and use job UID, not authenticated UID - success if "service is crond" and "user is in group root" HTH