View previous topic :: View next topic |
Author |
Message |
Lemon-Lime n00b
Joined: 27 Apr 2023 Posts: 54
|
Posted: Tue Aug 29, 2023 4:22 am Post subject: User was able to use cron without being in the cron group |
|
|
I was reading the wiki article on cron (https://wiki.gentoo.org/wiki/Cron#Giving_trusted_users_access_to_cron)
It states that a user needs to be in the cron group before using it. However, a user in my system was able to use cron without being in said group.
Is this a bug? Or is the wiki wrong?
PS: I am using cronie _________________ Crazy frog is the artist, not the song |
|
Back to top |
|
|
pjp Administrator
Joined: 16 Apr 2002 Posts: 20067
|
Posted: Tue Aug 29, 2023 5:09 am Post subject: |
|
|
man crontab wrote: | If the cron.allow file exists, a user must be listed in it to be allowed to use crontab. If the cron.allow file does not exist
but the cron.deny file does exist, then a user must not be listed in the cron.deny file in order to use crontab. If neither of these
files exist, then only the super user is allowed to use crontab. | I have a cron.deny with no users listed and I can use crontab without being in any cron groups.
It would seem that the wiki is either incorrect or at least incomplete. _________________ Quis separabit? Quo animo? |
|
Back to top |
|
|
Lemon-Lime n00b
Joined: 27 Apr 2023 Posts: 54
|
Posted: Tue Aug 29, 2023 12:37 pm Post subject: |
|
|
Thanks for the quick reply!
I'll try to add those details to the wiki! _________________ Crazy frog is the artist, not the song |
|
Back to top |
|
|
grknight Retired Dev
Joined: 20 Feb 2015 Posts: 1688
|
Posted: Tue Aug 29, 2023 12:44 pm Post subject: |
|
|
What does ls -ld /var/spool/cron report?
On my long time server it says: Code: | $ ls -ld /var/spool/cron
drwxr-x--- 5 root cron 117 Jul 17 11:00 /var/spool/cron |
This would limit usage to root and those in the cron group to hold crontabs. |
|
Back to top |
|
|
Lemon-Lime n00b
Joined: 27 Apr 2023 Posts: 54
|
Posted: Tue Aug 29, 2023 1:20 pm Post subject: |
|
|
grknight wrote: | What does ls -ld /var/spool/cron report? |
Code: | drwxr-xr-x 4 cron cron 4096 Jul 10 10:46 /var/spool/cron
|
PS: I am using cronie, my user is not in cron group* and I have an "empty" /etc/cron.deny file that says:
Code: | # If for any reason you have users in the 'cron' group who should not
# be allowed to run crontab, add them to this file (one username per
# line)
|
Which is strange, even the file states that there should be a cron group
* Said user is in the following groups (just in case):
Quote: | lp wheel audio video docker kvm libvirt usb users lpadmin
|
_________________ Crazy frog is the artist, not the song |
|
Back to top |
|
|
Lemon-Lime n00b
Joined: 27 Apr 2023 Posts: 54
|
|
Back to top |
|
|
grknight Retired Dev
Joined: 20 Feb 2015 Posts: 1688
|
Posted: Tue Aug 29, 2023 1:59 pm Post subject: |
|
|
This is likely a bug in the cronie ebuild such that it is inconsistent with other crons as well as documentation.
Both bcron and dcron have a call to set /var/spool/cron as root:cron and not readable by everyone.
This also is counterintuitive to the installed cron.deny file.
Edit: After thinking about it for a whlie, this is likely a transition difference from vixie-cron but still inconsistent.
bcron and dcron reference the cron user while cronie is using a "crontab" user. The default in the cron.eclass is cron user.
I don't know what is right or wrong but it seems like a mess. |
|
Back to top |
|
|
pjp Administrator
Joined: 16 Apr 2002 Posts: 20067
|
Posted: Tue Aug 29, 2023 4:12 pm Post subject: |
|
|
grknight wrote: | What does ls -ld /var/spool/cron report?
On my long time server it says: Code: | $ ls -ld /var/spool/cron
drwxr-x--- 5 root cron 117 Jul 17 11:00 /var/spool/cron |
This would limit usage to root and those in the cron group to hold crontabs. | That seems to be it. With cronie I have: Code: | $ ls -ld /var/spool/cron
drwxr-xr-x 4 cron root 1024 Sep 2 2021 /var/spool/cron | I believe I'm only using cronie because something else was removed from ::gentoo, but I don't recall what I had been using. I'm not a fan any of the new and "improved" cron implementations I've encountered. _________________ Quis separabit? Quo animo? |
|
Back to top |
|
|
freke l33t
Joined: 23 Jan 2003 Posts: 980 Location: Somewhere in Denmark
|
Posted: Wed Aug 30, 2023 4:47 pm Post subject: |
|
|
Confirming wrong? permissions on /var/spool/cron using cronie Code: | ns ~ # ls -ld /var/spool/cron/
drwxr-xr-x 4 cron root 4.0K Jul 10 17:29 /var/spool/cron/ | iirc I switched from vixie-cron which was removed https://bugs.gentoo.org/694036 |
|
Back to top |
|
|
grknight Retired Dev
Joined: 20 Feb 2015 Posts: 1688
|
Posted: Wed Aug 30, 2023 5:50 pm Post subject: |
|
|
This is as a result of GLEP-81 migration with acct-user/cron installing before sys-process/cronbase and not containing similar settings.
Opened Bug 913346 to ask to have it changed. |
|
Back to top |
|
|
Lemon-Lime n00b
Joined: 27 Apr 2023 Posts: 54
|
Posted: Thu Aug 31, 2023 4:40 am Post subject: |
|
|
grknight wrote: | Opened Bug 913346 to ask to have it changed. |
Great! Thank you so much for all of your work! _________________ Crazy frog is the artist, not the song |
|
Back to top |
|
|
|