Crontab group permissions

cronpermissions

I have noticed on my debian machine that the crontab user does not have read permissions on the /var/spool/cron/crontabs directory.

drwx-wx--T 2 root crontab 4096 Jun 20 21:34 crontabs

Further more the actual crontab files only have read/write permissions from the user that they belong to.

I have two questions.

Is there any reason that a user crontab would not have read access to the crontabs directory?
Is it a bad idea to give this user read access to the individual crontab files?

The reason for my questions is I have a few developers who need access to edit each crontab. Ideally I would like to have them all in svn or similar so that we can review the changes before putting them live and then some form of deploy script. The svn and deploy is no issue but I was looking for a common user that could edit all crontabs without being root.

Best Answer

The only reason is security. This is a quite popular use case for SGID bit.

There is a group 'crontab' over there. This group is empty so there are no members. Group 'crontab' has a very special purpose. Crontab binary owned by 'crontab' group and has a SGID (Set Group ID) bit

# ls -l /usr/bin/crontab
-rwxr-sr-x 1 root crontab 34784 Jun 14  2012 /usr/bin/crontab

So the file whose SGID bit are set (crontab command) would be used as if they belong to that group rather than to that user alone. And as far as file is created within directory with SGID (crontab user's file) it inherits its group as well.

1) user can edit or read his crontab file within crontab command only

2) user has not permissions to read either list files in /var/spool/cron/crontabs

Related Solutions

Linux – How to Set Up Permissions for the WWW Folder

After more research it seems like another (possibly better way) to answer this would be to setup the www folder like so.

sudo usermod -a -G developer user1 (add each user to developer group)
sudo chgrp -R developer /var/www/site.com/ so that developers can work in there
sudo chmod -R 2774 /var/www/site.com/ so that only developers can create/edit files (other/world can read)
sudo chgrp -R www-data /var/www/site.com/uploads so that www-data (apache/nginx) can create uploads.

Since git runs as whatever user is calling it, then as long as the user is in the "developer" group they should be able to create folders, edit PHP files, and manage the git repository.

Note: In step (3): '2' in 2774 means to 'set Group ID' for the directory. This causes new files and sub directories created within it to inherit the group ID of the parent directory (instead of the primary group of the user) Reference: http://en.wikipedia.org/wiki/Setuid#setuid_and_setgid_on_directories

Crontab : Permission denied

I ran into a similar issue. Apparently grabbing a recursive directory with smbget makes use of the current $USER environment variable. Setting this variable to the same username as passed to smbget gets around this, but still doesn't work for Cron Jobs.

This issue is documented here: https://bugzilla.samba.org/show_bug.cgi?id=8400

Here's a snippet from my script

pUSER=$USER     # store previous user
USER=$username  # new username
smbget -R -v -U -u "$username" "smb://server/c$/directory"
USER=$pUSER     # restore previous username

This works via the command line, but not when called from cron, very confused.

Hope this helps someone.

EDIT

After revisiting this, I realized that the same could be accomplished by using smbmount. The code below is an example that works even if called from crontab.

username=myuser
domain=corp     #optional domain prefix
PASS=password123

smbmount  \\\\fileserver\\sharename /mnt/somedir -o user=$username,password=$PASS,dom=$domain
cp -R -u -v /mnt/somedir/* /destination_directory
umount /mnt/somedir

Best Answer

Related Solutions

Linux – How to Set Up Permissions for the WWW Folder

Crontab : Permission denied

Related Topic