What are the filesystem permissions for a cron job

cronpermissions

I'm working on a production server. It has some daily cron jobs, and here's the filesystem permissions on them:

cron.daily$ ls -Al
total 24
-rwxr-xr-x 1 root root  332 Dec  3 10:33 0yum-daily.cron
-rwxr-xr-x 1 root root 2239 Jun  9  2014 certwatch
-rwxr-x--- 1 root root  953 Aug 29  2015 gdrive-backup
-rwx------ 1 root root  180 Jul 31  2013 logrotate
-rw-r--r-- 1 root root  618 Mar 17  2014 man-db.cron
-rw-r----- 1 root root  192 Jan 26  2014 mlocate

All but one of the jobs is from CentOS or the hosting provider; while one job is ours. The permissions spread the spectrum.

Our job is gdrive-backup, and its got hard coded usernames and passwords. We did not feel it appropriate to give the world read access to it.

What are the permissions supposed to be on a cron job when it sits on the filesystem?

Here is the cat of crontab, which (I think) shows there's nothing special going on:

$ cat /etc/crontab 
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin

# For details see man 4 crontabs

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name  command to be executed

$

A related question is What are the runtime permissions of a cron job?, but it discusses the user credentials the job runs under, and not the filesystem permissions.

Best Answer

On CentOS, the daily cron job gets executed as

/usr/bin/run-parts /etc/cron.daily

run-parts is a shell script. It looks through the contents of its argument (a directory), filters out things such as files that end in ~, .swp, .rpmsave, and directories, then for every file that passes the test if [ -x $i ], that is, executable by root, it runs the file.

So all the files in /etc/cron.daily that have any x bit at all turned on will be run. You can set the permissions on those files to deny read access to everyone, if you wish; it doesn't matter to root. If you have embedded passwords in the scripts that may be passed as arguments to commands, note that all /proc/*/cmdline files are publically readable, so all users can see all commands and arguments as they're being run.

Related Solutions

What are the runtime permissions of a cron job

You can specify a user in the system crontab entries like so:

# For details see man 4 crontabs

# Example of job definition:
.---------------- minute (0 - 59)
|  .------------- hour (0 - 23)
|  |  .---------- day of month (1 - 31)
|  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
|  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
|  |  |  |  |
*  *  *  *  * user-name  command to be executed

The 6th argument can be a username. Additionally you can put scripts in the /etc/cron.d directory. The scripts take the same form as the crontab entries described above, for example:

# /etc/cron.d/clamav-update
## Adjust this line...
MAILTO=root

## It is ok to execute it as root; freshclam drops privileges and becomes
## user 'clamav' as soon as possible
0  */3 * * * root /usr/share/clamav/freshclam-sleep

You can put scripts in these directories, but they're meant to be run as root:

cron.daily
cron.hourly
cron.weekly
cron.monthly

Finally you can create user based crontab entries by running this command as a given user:

$ crontab -e

These entries are stored in files with the same name as the user in this directory, /var/spool/cron/:

$ sudo ls -l /var/spool/cron/
-rw------- 1 saml root 0 Jun  6 06:43 saml

Crontab: “Temporary crontab no longer owned by you.”

You need to edit permissions on the crontab binary and set them back to what they are when you do a fresh install.

NOT WORKING permissions:

ls -la /usr/bin/crontab
-rwsr-xr-x 1 root crontab 40264 Oct  7  2017 /usr/bin/crontab

Action, do as root or using sudo:

chmod g+s /usr/bin/crontab
chmod u-s /usr/bin/crontab

WORKING permissions:

ls -la /usr/bin/crontab
-rwxr-sr-x 1 root crontab 40264 Oct  7  2017 /usr/bin/crontab

Taken from a fresh working installation, the working permissions are set during installation.

No idea why they changed later on.