Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
running cron job with the ID of a system service
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
gagern
n00b
n00b


Joined: 26 Nov 2003
Posts: 50

PostPosted: Thu Jul 24, 2008 5:21 pm    Post subject: running cron job with the ID of a system service Reply with quote

Have you ever tried to get a cron job executed as the apache user, e.g. to do some scheduled cleaning up in files usually managed by PHP scripts? Are you trying to use fcron for this?

I have and did, and got errors like this (in syslog, the error mail was completely empty):
Code:
Jul 24 18:17:53 [fcron] Could not init PAM account management for '...': Authentication service cannot retrieve authentication info
Jul 24 18:17:53 [fcron] Job '...' has *not* run.
Jul 24 18:17:53 [fcron] read_write_pipe(): read/write returned 0: retrying... (size: 4, size_processed: 0, num_retry: 1): Success
Jul 24 18:17:53 [fcron] read_write_pipe(): read/write returned 0: retrying... (size: 4, size_processed: 0, num_retry: 2): Success
Jul 24 18:17:54 [fcron] read_write_pipe(): read/write returned 0: retrying... (size: 4, size_processed: 0, num_retry: 3): Success
Jul 24 18:17:55 [fcron] Could not read job pid because of closed pipe: setting it to -1


To solve this, edit /etc/pam.d/fcron and add the option "broken_shadow" to the account line like this:
Code:
-account         required        pam_unix.so
+account         required        pam_unix.so nullok broken_shadow


This tells fcron that it is OK to run as a user that has no password, not even a password line in the shadow password file. On my system, the "apache" user has no shadow line. In that case "broken_shadow" alone without "nullok" would be OK. But I guess there might be other setups or other system accounts where there is a shadow line but the password is empty. In those cases the "nullok" would be required. As only root's crontab can designate jobs to be run as different users, there should be not much of a security impact in loosening both those restrictions. Maybe the ebuild should do so by default? I don't know.

With this in place, a job like this (in root's crontab) should work:
Code:
@runas(apache) 1d some/cleanup/script


By the way: those are situations where one would really like to get more detailed error messages! The steps from the empty mail to the change in the PAM settings file are not exactly obvious, hence this small post here.

Cron implementations other than fcron and system services other than apache might of course exhibit similar problems; a fix should be possible in a similar way.
Back to top
View user's profile Send private message
notHerbert
Advocate
Advocate


Joined: 11 Mar 2008
Posts: 2228
Location: 45N 73W

PostPosted: Thu Aug 28, 2008 2:37 am    Post subject: Reply with quote

You could also do this
Code:
# usermod -s /bin/bash apache
# su apache
# crontab <file> or crontab -e
# exit
# usermod -s /sbin/nologin apache
Back to top
View user's profile Send private message
steveL
Advocate
Advocate


Joined: 13 Sep 2006
Posts: 2960
Location: The Peanut Gallery

PostPosted: Sat Sep 06, 2008 1:37 am    Post subject: Reply with quote

Nice one, both of you, this is really handy. :-) Hope you don't mind I've copied it to my favourite tips so I don't lose it.

Minor point: don't all cron-executed scripts have to be specified with absolute path (ie starting with a /)?
Back to top
View user's profile Send private message
notHerbert
Advocate
Advocate


Joined: 11 Mar 2008
Posts: 2228
Location: 45N 73W

PostPosted: Sat Sep 06, 2008 3:11 pm    Post subject: Reply with quote

steveL wrote:
Nice one, both of you, this is really handy. :-) Hope you don't mind I've copied it to my favourite tips so I don't lose it.

Alright - yep, thank you :D

steveL wrote:
Minor point: don't all cron-executed scripts have to be specified with absolute path (ie starting with a /)?

Quote:
root@penguin # cat /etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
HOME=/

# run-parts
01 * * * * root run-parts /etc/cron.hourly
02 4 * * * root run-parts /etc/cron.daily
22 4 * * 0 root run-parts /etc/cron.weekly
42 4 1 * * root run-parts /etc/cron.monthly

PATH contains the directories which will be in the search path for cron
e.g if you've got a program 'foo' in the directory /usr/bar/bin, it might
be worth adding /usr/bar/bin to the path, as it will stop you having to use
the full path to 'foo' every time you want to call it.
8)
Back to top
View user's profile Send private message
steveL
Advocate
Advocate


Joined: 13 Sep 2006
Posts: 2960
Location: The Peanut Gallery

PostPosted: Tue Sep 09, 2008 1:36 am    Post subject: Reply with quote

Sweet :D
Back to top
View user's profile Send private message
Casshan
n00b
n00b


Joined: 07 May 2004
Posts: 53

PostPosted: Tue Sep 09, 2008 5:57 am    Post subject: Reply with quote

what about?
Code:
crontab -u apache -e
Back to top
View user's profile Send private message
notHerbert
Advocate
Advocate


Joined: 11 Mar 2008
Posts: 2228
Location: 45N 73W

PostPosted: Thu Sep 11, 2008 1:43 am    Post subject: Reply with quote

Casshan wrote:
what about?
Code:
crontab -u apache -e


Even sweeter :D
Back to top
View user's profile Send private message
steveL
Advocate
Advocate


Joined: 13 Sep 2006
Posts: 2960
Location: The Peanut Gallery

PostPosted: Thu Sep 11, 2008 4:26 pm    Post subject: Reply with quote

Heh I feel like a noob again.. it's a good feeling! :D
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum