1830899 Members
2508 Online
110017 Solutions
New Discussion

Cron

 
SOLVED
Go to solution
David Peacock
Frequent Advisor

Cron

I set up a cronjob for a user that runs at 1 AM. The cron job runs fine. The job runs as
root instead of the username. This way it is easier to keep an eye on. We have one machine and the only user who needs a cronjob.

I was wondering if it is bad form to have the job run as root instead of the username. The cronjob is not related to the OS. Just an application job that prints several reports.
veni, vidi, vmstat
8 REPLIES 8
Victor BERRIDGE
Honored Contributor

Re: Cron

Hi David,
Well, to read the execution output (cron has mailed it to root) you will have to be root, to change the schedule you would have to be root...
the best is to create an operator uid=> like oper like that you could give the passwd of oper to who is in charge of the job...
Like that youre on the safe side...

all the best
Victor
James R. Ferguson
Acclaimed Contributor
Solution

Re: Cron

David:

If a task doesn't need to run as 'root', then don't cron it from root. This is especially true if root isn't the owner of the script!!!

From a security, accounting, and management standpoint don't clutter root's crontab with anything that doesn't need to be there.

A middleground would be to use: 'su - -c ' in root's crontab to handle things that you (root) want to control.

...JRF...
Ovidiu D. Raita
Valued Contributor

Re: Cron

David,

Just keep in mind that if the user has write permition for that script he can modify the script the way he wants ( rm -r * for example) and the script will be run with root rights. Just imagine what can happen....

I would use su -l user -c script_name

Ovidiu
Simple solutions to complex problems
Paula J Frazer-Campbell
Honored Contributor

Re: Cron

Hi David

Ovidiu is has hit the nail on the head.
Never Never give a user this amount of power.

It is quite feasible that this user may one day wish to clean up these jobs and put a rm -r * in their script.
This user, scripting with this power can ftp out any data on the machine, copy payroll data to their own dir, create a root level entry in the passwd file, leave a software package for you if they were fired - the list is endless.

Two options come to mind: -

1. You take full control of their routine.
2. Use su in the crontab - as already mentioned.

Paula
If you can spell SysAdmin then you is one - anon
Dan Hetzel
Honored Contributor

Re: Cron

Hi David,

If you want to avoid security issues you can either:
1. Let that script run in the user's crontab. This will guarantee that no harm can be done at the system level, as script will run with the user's UID.
2. Have that script in root's crontab, but run it with 'su - -c <scriptname>'

In the second case, root will have full control over the job: when it runs, receive email messages....

Both will be OK at the security level.

Best regards,

Dan
Everybody knows at least one thing worth sharing -- mailto:dan.hetzel@wildcroft.com
David Peacock
Frequent Advisor

Re: Cron

Thanks for the responses.

I am the only UNIX guy who works in our department and it helps to bounce these issues off of UNIX people.
veni, vidi, vmstat
Paula J Frazer-Campbell
Honored Contributor

Re: Cron

Hi David
I am sure I am not alone is saying you are most welcome.

:^)

Paula
If you can spell SysAdmin then you is one - anon
James R. Ferguson
Acclaimed Contributor

Re: Cron

Hi David:

You are definitely NOT alone! The more I learn the more I realize how much I don't know; trite, perhaps, but so true. This Forum (and others) exist for ALL of us to learn and to teach. Welcome. Please come and stay.

Regards, Jim.

...JRF...