diff --git a/src/crontab.c b/src/crontab.c
index 22571ff..d165a06 100644
--- a/src/crontab.c
+++ b/src/crontab.c
@@ -170,7 +170,7 @@ int main(int argc, char *argv[]) {
 	}
 
 #if defined(WITH_PAM)
-	if (cron_start_pam(pw) != PAM_SUCCESS) {
+	if (getuid() != 0 && cron_start_pam(pw) != PAM_SUCCESS) {
 		fprintf(stderr,
 			"You (%s) are not allowed to access to (%s) because of pam configuration.\n",
 			User, ProgramName);
diff --git a/src/security.c b/src/security.c
index 4eee004..079ea2a 100644
--- a/src/security.c
+++ b/src/security.c
@@ -88,6 +88,7 @@ static int cron_open_pam_session(struct passwd *pw);
 		if (pam_session_opened != 0) \
 			pam_close_session(pamh, PAM_SILENT); \
 		pam_end(pamh, retcode); \
+		pamh = NULL; \
 	} \
 return(retcode); }
 #endif
@@ -122,7 +123,8 @@ int cron_set_job_security_context(entry *e, user *u ATTRIBUTE_UNUSED,
 	}
 
 #ifdef WITH_PAM
-	if ((ret = cron_start_pam(e->pwd)) != 0) {
+	/* PAM is called only for non-root users or non-system crontab */
+	if ((!u->system || e->pwd->pw_uid != 0) && (ret = cron_start_pam(e->pwd)) != 0) {
 		log_it(e->pwd->pw_name, getpid(), "FAILED to authorize user with PAM",
 			pam_strerror(pamh, ret), 0);
 		return -1;
@@ -152,7 +154,7 @@ int cron_set_job_security_context(entry *e, user *u ATTRIBUTE_UNUSED,
 		freecon(ucontext);
 #endif
 #ifdef WITH_PAM
-	if ((ret = cron_open_pam_session(e->pwd)) != 0) {
+	if (pamh != NULL && (ret = cron_open_pam_session(e->pwd)) != 0) {
 		log_it(e->pwd->pw_name, getpid(),
 			"FAILED to open PAM security session", pam_strerror(pamh, ret), 0);
 		return -1;
@@ -223,7 +225,10 @@ void cron_close_pam(void) {
 		pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT);
 		pam_close_session(pamh, PAM_SILENT);
 	}
-	pam_end(pamh, PAM_SUCCESS);
+	if (pamh != NULL) {
+		pam_end(pamh, PAM_SUCCESS);
+		pamh = NULL;
+	}
 #endif
 }
 
diff --git a/src/structs.h b/src/structs.h
index 272777a..6d3c15b 100644
--- a/src/structs.h
+++ b/src/structs.h
@@ -67,6 +67,7 @@ typedef	struct _user {
 	time_t		mtime;		/* last modtime of crontab */
 	entry		*crontab;	/* this person's crontab */
 	security_context_t	scontext;    /* SELinux security context */
+	int		system;		/* is it a system crontab */
 } user;
 
 typedef	struct _orphan {
diff --git a/src/user.c b/src/user.c
index 20c0d96..e950db7 100644
--- a/src/user.c
+++ b/src/user.c
@@ -89,6 +89,8 @@ load_user (int crontab_fd, struct passwd *pw, const char *uname,
 		goto done;
 	}
 
+	u->system = pw == NULL;
+
 	/* init environment.  this will be copied/augmented for each entry.
 	*/
 	if ((envp = env_init()) == NULL) {