Running Crontab Jobs as Root – Security Risks

cronlinuxSecurityUbuntu

I have some cron jobs that I am running – mostly backup related stuff.

I am having to backup stuck like /etc/apache2/sites/available etc, which require root access.

I have a couple of questions:

When running on a headless server:

Which user is the script run under (assuming I do not specify a user in the cron job entry)?
Is it ok to run the backup script as root – or does that pose a security question?

BTW, my server is running Ubuntu 10.0.4 LTS

Best Answer

If you have secured access to the script sufficiently and made sensible precautions, running something from roots crontab is not usually a security risk.

But don't run a script as root that a non root user can edit or overwrite. This applies to jobs run from cron as well as interactively.

If that script includes other files same applies to them too.

If in doubt always use the principle of least privilege. If you are still unsure you can always ask specific questions on forums and in IRC.

There is (nearly) always a way to run something as a non root user. If all else fails using sudo to limit a user to specific commands also limits the potential to do harm.

So with the example you gave of backing up /etc/apache2/sites-available, that file is by default readable by anyone, so that implies it is access to the destination that is writeable by root only.

You could fix that by

create a group called backupadmins (for example)
set the group on the destination directory to backupadmins
add a user called backupuser (for example)
add the user backupuser to the group backupadmins.
make the directory writeable by the backupadmins group
run the cron job from backupuser's crontab.

Best Answer

Related Solutions

Bash – Unix Cron : Can we set cron jobs to run at the same time

Ubuntu – User cron jobs are not running but system jobs are

Related Topic