| View previous topic :: View next topic |
| Author |
Message |
gagern
n00b
Joined: 26 Nov 2003
Posts: 54
|
 Posted: Thu Jul 24, 2008 5:21 pm Post subject: running cron job with the ID of a system service |
 |
|
Have you ever tried to get a cron job executed as the apache user, e.g. to do some scheduled cleaning up in files usually managed by PHP scripts? Are you trying to use fcron for this?
I have and did, and got errors like this (in syslog, the error mail was completely empty):
| Code: | Jul 24 18:17:53 [fcron] Could not init PAM account management for '...': Authentication service cannot retrieve authentication info
Jul 24 18:17:53 [fcron] Job '...' has *not* run.
Jul 24 18:17:53 [fcron] read_write_pipe(): read/write returned 0: retrying... (size: 4, size_processed: 0, num_retry: 1): Success
Jul 24 18:17:53 [fcron] read_write_pipe(): read/write returned 0: retrying... (size: 4, size_processed: 0, num_retry: 2): Success
Jul 24 18:17:54 [fcron] read_write_pipe(): read/write returned 0: retrying... (size: 4, size_processed: 0, num_retry: 3): Success
Jul 24 18:17:55 [fcron] Could not read job pid because of closed pipe: setting it to -1 |
To solve this, edit /etc/pam.d/fcron and add the option "broken_shadow" to the account line like this:
| Code: | -account required pam_unix.so
+account required pam_unix.so nullok broken_shadow |
This tells fcron that it is OK to run as a user that has no password, not even a password line in the shadow password file. On my system, the "apache" user has no shadow line. In that case "broken_shadow" alone without "nullok" would be OK. But I guess there might be other setups or other system accounts where there is a shadow line but the password is empty. In those cases the "nullok" would be required. As only root's crontab can designate jobs to be run as different users, there should be not much of a security impact in loosening both those restrictions. Maybe the ebuild should do so by default? I don't know.
With this in place, a job like this (in root's crontab) should work:
| Code: | | @runas(apache) 1d some/cleanup/script |
By the way: those are situations where one would really like to get more detailed error messages! The steps from the empty mail to the change in the PAM settings file are not exactly obvious, hence this small post here.
Cron implementations other than fcron and system services other than apache might of course exhibit similar problems; a fix should be possible in a similar way. |
|
| Back to top |
|
 |
notHerbert
Advocate
Joined: 11 Mar 2008
Posts: 2228
Location: 45N 73W
|
| Posted: Thu Aug 28, 2008 2:37 am Post subject: |
|
|
You could also do this | Code: | # usermod -s /bin/bash apache
# su apache
# crontab <file> or crontab -e
# exit
# usermod -s /sbin/nologin apache |
|
|
| Back to top |
|
|
steveL
Watchman
Joined: 13 Sep 2006
Posts: 5153
Location: The Peanut Gallery
|
| Posted: Sat Sep 06, 2008 1:37 am Post subject: |
|
|
Nice one, both of you, this is really handy. :-) Hope you don't mind I've copied it to my favourite tips so I don't lose it.
Minor point: don't all cron-executed scripts have to be specified with absolute path (ie starting with a /)? |
|
| Back to top |
|
|
notHerbert
Advocate
Joined: 11 Mar 2008
Posts: 2228
Location: 45N 73W
|
| Posted: Sat Sep 06, 2008 3:11 pm Post subject: |
|
|
| steveL wrote: | Nice one, both of you, this is really handy.  Hope you don't mind I've copied it to my favourite tips so I don't lose it. |
Alright - yep, thank you 
| steveL wrote: | | Minor point: don't all cron-executed scripts have to be specified with absolute path (ie starting with a /)? |
| Quote: | root@penguin # cat /etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
HOME=/
# run-parts
01 * * * * root run-parts /etc/cron.hourly
02 4 * * * root run-parts /etc/cron.daily
22 4 * * 0 root run-parts /etc/cron.weekly
42 4 1 * * root run-parts /etc/cron.monthly
PATH contains the directories which will be in the search path for cron
e.g if you've got a program 'foo' in the directory /usr/bar/bin, it might
be worth adding /usr/bar/bin to the path, as it will stop you having to use
the full path to 'foo' every time you want to call it. |
 |
|
| Back to top |
|
|
steveL
Watchman
Joined: 13 Sep 2006
Posts: 5153
Location: The Peanut Gallery
|
| Posted: Tue Sep 09, 2008 1:36 am Post subject: |
|
|
| Sweet :D |
|
| Back to top |
|
|
Casshan
n00b
Joined: 07 May 2004
Posts: 53
|
| Posted: Tue Sep 09, 2008 5:57 am Post subject: |
|
|
what about?
| Code: | | crontab -u apache -e |
|
|
| Back to top |
|
|
notHerbert
Advocate
Joined: 11 Mar 2008
Posts: 2228
Location: 45N 73W
|
| Posted: Thu Sep 11, 2008 1:43 am Post subject: |
|
|
| Casshan wrote: | what about?
| Code: | | crontab -u apache -e |
|
Even sweeter |
|
| Back to top |
|
|
steveL
Watchman
Joined: 13 Sep 2006
Posts: 5153
Location: The Peanut Gallery
|
| Posted: Thu Sep 11, 2008 4:26 pm Post subject: |
|
|
| Heh I feel like a noob again.. it's a good feeling! :D |
|
| Back to top |
|
|
|
Documentation, Tips & Tricks
