How do I start a cron service on a web server programatically? - linux

I have been stuck on this for a while and this is new territory for me so I need some help. I am working on a project where a cron service is created when a user is created with a web application. However, I am running into problems actually getting the cron service to run. Here is what I have tried
1) Creating a cron service using
crontab -l | { cat; echo "'comand'"; } | crontab -
This creates the job fine. However, it creates it with www-data as the user and those do not show to execute.
I should mention that I am setting path to
PATH=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin
as I am running a python script that I have made executable using chmod +x and put the appropriate headers to make sure it runs properly (which it does). In addition, all paths are full paths. To be more clear, here is the actual command I am using inside the crontab
*/10 * * * * /home/user/path-to script/script.py --user_id 1 --db_file /home/user/path-to-file/file.db
However, the script never runs.
2) Creating a file under /etc/cron.d, but from my testing, I have realized that this only works if the file is created as a root user, which since the user creating the file is www-data, the job will again, not execute.
for reference, I am doing that as such:
*/10 * * * * user /home/user/path-to script/script.py --user_id 1 --db_file /home/user/path-to-file/file.db
What does work is repeating steps 2 & 3 using a user that is part of the sudo group or is the root user. This tells me that I need to create the cron job using one of those two users, but I am not sure how to do that programmatically when www-data is being used for web activities.
Another option I have considered is using crontab -u user to programmatically add the job to a user I know works, but the issue with that is that in order to do that I need sudo access and I don't want to pass in the sudo password when creating the cronjob or do something that might be potentially dangerous (like removing the need to use sudo as I know that is possible, but in my opinion could be very bad is someone gains access to the account and therefore has escalated privileges)
Help would really be appreciated.
As for the stack, if it's helpful, I am using Ubuntu 18.04.3 (LTS) x64 and Apacahe2

Related

Node script runs manually but fails in crontab

Currently am running a few js files manually on a semi weekly bases for my company. I stumbled on the possibility of automating these runs in to cron jobs. Im fairly novice to shell scripts and was able to achieve this on an outdated personal mac mini I have.
When trying to replicate the same setup on a company owned device, I hit a wall. I think it has something to do with user permissions or current user cron differing from sudo cron. (The user I have is the only user on the device.)
I can manually run this script on the current user macserver#Mac-mini ~ % , utilizing the node NVM_BIN I downloaded through homebrew and it runs fine.
Terminal entry like this:
cd Desktop/main-tool && /Users/macserver/.nvm/versions/node/v18.12.1/bin/node main.js
I then try accessing cron using the nano editor EDITOR=nano crontab -e adding the command above except with the scheduling expression and nothing happens.
Cron entry like this:
* * * * * cd Desktop/main-tool && /Users/macserver/.nvm/versions/node/v18.12.1/bin/node main.js
Is there a way to view if cron jobs are running instead of just viewing an active list? Not sure where to start trouble shooting as the information I have come across references anywhere from changing root variables for users to complete environment overhaul which I would like to avoid.
My PATH and SHELL:
$SHELL=/bin/zsh
$PATH=/Users/macserver/.nvm/versions/node/v18.12.1/bin:/opt/homebrew/bin:/opt/homebrew/sbin:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin
Let me know if any other info might help.

Bitbucket Pipeline: run step as non-root

One of my steps in my Bitbucket deployment pipeline involves executing
- step:
name: Start MaintenanceMode
script:
- php bin/wp-cli.phar mm_enter --ssh=[...]
However, understandably wp_cli.phar doesn't love being run as root. I can get rid of the error by using --allow-root, but I would prefer to simply not run anything in the step as root. Is there any way to run a step in a Bitbucket pipeline without root privileges?
I've looked at this similar question but that seems to only work because node creates a new user.
Here is the specific output from the line
Error: YIKES! It looks like you're running this as root. You probably meant to run this as the user that your WordPress installation exists under.
If you REALLY mean to run this as root, we won't stop you, but just bear in mind that any code on this site will then have full control of your server, making it quite DANGEROUS.
If you'd like to continue as root, please run this again, adding this flag: --allow-root
If you'd like to run it as the user that this site is under, you can run the following to become the respective user:
sudo -u USER -i -- wp <command>
You have several solutions
Check the list of available users in the container - most of all your container already has a user
Create a new user for yourself at the stage of building a container without root privileges

How do I restore CronTab to my WebMin system

I don't know if this was an effect of the shellshock attack which my server was victim to (or another attack that worked) but it basically enabled the hacker to overwrite my SSH config file when the server rebooted.
This new file used wget to load in a file from a website, then another library of hack functions which I guessed he then used to run hacks/DOS from my server. I caught it pretty fast and ideally want to upgrade but because I have cancer and just had a big operation it is too much effort at the moment.
Therefore I did a lot of house keeping, changing passwords, removing shell access, reverting back to DASH, replacing the default shell for root and any other users to another folder with symbolic links, restoring the config file for SSH, removing CGI functionality from config files e.g
ScriptAlias /cgi-bin/ /home/searchmysite/cgi-bin/
#
allow from all
#
Removed AW stats and Webalizer for all virtual min sites.
I already had DenyHosts and Fail2Ban installed.
I also blocked in/outbound traffic to the IPs of the sites he was getting the files from.
However it seems since this change I have lost the visual cron manager from webmin.
When I go to the menu item "Scheduled Cron Jobs", it says, "The command crontab for managing user Cron configurations was not found. Maybe Cron is not installed on this system?"
However I can see in the file system it exists.
When I run crontab -l or crontab -e I get "Permission Denied"
whoami shows "root"
I did think at the time of the hack this was all related and he had used SSH and a Cron job to get his hack running.
What I want to know is how I can get the CronTab manager back.
All the cron jobs are still running such as importing feeds into my websites, running scheduled emails and so on, what I don't know is how to resolve this without a full rebuild.
If I had the time and energy I would do that but I am totally drained and before this hack everything was just running smoothly and my websites which bring me in money were working fine.
They currently are still working fine and I regularly check my logs for IPs that look odd, have strong htacess rules for xss/sql/path travesal/file hacks and ban whole countries from Cloudflare which the site sits behind. So I don't "think" the machine is compromised at the moment even if it is old - could be wrong though!
details of box
Operating system Debian Linux 5.0 Virtualmin version 3.98.gpl GPL WebMin Version: 1.610 Kernel and CPU Linux 2.6.32.9-rscloud on x86_64
So if anyone can help me get my crontab manager back that would be great.
Thanks
1) check if chattr exists, if not, download a new one.
2) type whereis crontab, then chattr -isa /path/to/crontab.(usually /usr/bin/cron) then chmod crontab back to it original settings.
3) navigate to /var/spool/ and
chattr -isa cron
cd cron
chattr -isa crontabs
4) remove cron entry in /etc/cron.weekly
Look in /etc/cron.weekly for any new

What user will Ansible run my commands as?

Background
My question seems simple, but it gets more complex really fast.
Basically, I got really tired of maintaining my servers manually (screams in background) and I decided it was time to find a way to make being a server admin much more liveable. That's when I found Ansible. Great huh? Sure beats making bash scripts (louder scream) for everything I wanted to automate.
What's the problem?
I'm having a lot of trouble figuring out what user my Ansible playbook will run certain things as. I also need the ability to specify what user certain tasks will run as. Here are some specific use cases:
Cloning a repo as another user:
My purpose with this is it run my node.js webapp from another user, who we'll call bill (that can only use sudo to run a script that I made that starts the node server, as opposed to root or my user that can use sudo for all commands). To do this, I need the ability to have Ansible's git module clone my git repo as bill. How would I do that?
Knowing how Ansible will gain root:
As far as I understand, you can set what user Ansible will connect to the server you're maintaining by defining 'user' and the beginning of the playbook file. Here's what I don't understand: if I tell it to connect via my username, joe, and ask it to update a package via the apt module, how will it gain root? Sudo usually prompts me for my password, and I'd prefer keeping it that way (for security).
Final request
I've scoured the Ansible docs, done some (what I thought was thorough) Googling, and generally just tried to figure it out on my own, but this information continues to elude me.
I am very new to Ansible, and while it's mostly straight-forwards, I would benefit greatly if I could understand exactly how Ansible runs, on which users it runs, and how/where I can specify what user to use at different times.
Thank you tons in advance
You may find it useful to read the Hosts and Users section on Ansible's documentation site:
http://docs.ansible.com/playbooks_intro.html#hosts-and-users
In summary, ansible will run all commands in a playbook as the user specified in the remote_user variable (assuming you're using ansible >= 1.4, user before that). You can specify this variable on a per-task basis as well, in case a task needs to run as a certain user.
Use sudo: true in any playbook/task to use sudo to run it. Use the sudo_user variable to specify a user to sudo to if you don't want to use root.
In practice, I've found it easiest to run my playbook as a deploy user that has sudo privileges. I set up my SSH keys so I can SSH into any host as deploy without using a password. This means that I can run my playbook without using a password and even use sudo if I need to.
I use this same user to do things like cloning git repos and starting/stopping services. If a service needs to run as a lower-privileged user, I let the init script take care of that. A quick Google search for a node.js init.d script revealed this one for CentOS:
https://gist.github.com/nariyu/1211413
Doing things this way helps to keep it simple, which I like.
Hope that helps.
My 2 cents:
Ansible uses your local user (eg Mike) to ssh to the remote machine. (That required Mike to be able to ssh to the machine)
From there it can change to a remote user if needed
It can also sudo if needed and if Mike is allowed. If no user is specified then root will be selected via your ~/.ansible.cfg on your local machine.
If you supply a remote_user with the sudo param then like no.3 it will not use root but that user.
You can specify different situations and different users or sudo via the playbooks.
Playbook's define which roles will be run into each machine that belongs to the inventory selected.
I suggest you read Ansible best practices for some explanation on how to setup your infrastructure.
Oh and btw since you are not referring to a specific module that ansible uses and your question is not related to python, then I don't find any use your question having the python tag.
Just a note that Ansible>=1.9 uses privilege escalation commands so you can execute tasks and create resources as that secondary user if need be:
- name: Install software
shell: "curl -s get.dangerous_software.install | sudo bash"
become_user: root
https://ansible-docs.readthedocs.io/zh/stable-2.0/rst/become.html
I notice current answers are a bit old and suffering from link rot.
Ansible will SSH as your current user, by default:
https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html#connecting-to-remote-nodes
Ansible communicates with remote machines over the SSH protocol. By default, Ansible uses native OpenSSH and connects to remote machines using your current user name, just as SSH does.
This can be overridden using:
passing the -u parameter at the command line
setting user information in your inventory file
setting user information in your configuration file
setting environment variables
But then you must ensure a route exists to SSH as that user. An approach to maintaining user-level ownership I see more often is become (root) and then to chown -R jdoe:jdoe /the/file/path.
In my 2.12 release of ansible I found the only way I could change the user was by specifying become: yes as an option at the play level. That way I am SSHing as the unprivileged, default, user. This user must have passwordless sudo enabled on the remote and is about the safest I could make my VPS. From this I could then switch to another user, with become_user, from an arbitrary command task.
Like this:
- name: Getting Started
gather_facts: false
hosts: all
become: yes # All tasks that follow will become root.
tasks:
- name: get the username running the deploy
command: echo $USER
become_user: trubuntu # From root we can switch to trubuntu.
If the user permitted SSH access to your remote is, say, victor, and not your current user, then remote_user: victor has a place at the play level, adjacent to become: yes.

Cronjob on Amazon EC2 Deleted?

I had a cronjob set up to run a php script daily, which went well for about a month. Today, I realized it didn't run the script so I opened up the crontab. The crontab is completely empty - what happened?
I don't know too much about cronjobs, but as far as I understand, they do not delete themselves if the server is reset. How can I make sure cronjobs are always running and that it doesnt get deleted?
It is probably under a different user. Check root user sudo crontab -e. Each user has it's own crontab and there's one for the whole system. Note: Through the crontab configuration you can disable per-user crontabs.

Resources