What are the runtime permissions of a cron job

cronpermissions

When a cron job runs with what privilege does it execute?

I'm not sure about that. Is it with the same privileges of the user that added it via crontab -e?

Best Answer

You can specify a user in the system crontab entries like so:

# For details see man 4 crontabs

# Example of job definition:
.---------------- minute (0 - 59)
|  .------------- hour (0 - 23)
|  |  .---------- day of month (1 - 31)
|  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
|  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
|  |  |  |  |
*  *  *  *  * user-name  command to be executed

The 6th argument can be a username. Additionally you can put scripts in the /etc/cron.d directory. The scripts take the same form as the crontab entries described above, for example:

# /etc/cron.d/clamav-update
## Adjust this line...
MAILTO=root

## It is ok to execute it as root; freshclam drops privileges and becomes
## user 'clamav' as soon as possible
0  */3 * * * root /usr/share/clamav/freshclam-sleep

You can put scripts in these directories, but they're meant to be run as root:

cron.daily
cron.hourly
cron.weekly
cron.monthly

Finally you can create user based crontab entries by running this command as a given user:

$ crontab -e

These entries are stored in files with the same name as the user in this directory, /var/spool/cron/:

$ sudo ls -l /var/spool/cron/
-rw------- 1 saml root 0 Jun  6 06:43 saml

Related Solutions

How to run a cron job to execute every minute

A crontab created with crontab -e and listable with crontab -l should not have a user specified for the command. Your entry should read:

* * * * * /home/test.sh

Or alternatively put the line that you have in /etc/crontab instead.

From man 5 crontab (section EXAMPLE SYSTEM CRON FILE):

# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

Note the last sentence.

What are the filesystem permissions for a cron job

On CentOS, the daily cron job gets executed as

/usr/bin/run-parts /etc/cron.daily

run-parts is a shell script. It looks through the contents of its argument (a directory), filters out things such as files that end in ~, .swp, .rpmsave, and directories, then for every file that passes the test if [ -x $i ], that is, executable by root, it runs the file.

So all the files in /etc/cron.daily that have any x bit at all turned on will be run. You can set the permissions on those files to deny read access to everyone, if you wish; it doesn't matter to root. If you have embedded passwords in the scripts that may be passed as arguments to commands, note that all /proc/*/cmdline files are publically readable, so all users can see all commands and arguments as they're being run.

Best Answer

Related Solutions

How to run a cron job to execute every minute

What are the filesystem permissions for a cron job

Related Question