Hope someone can help me out here.
I've written a python script that I want to run under CRON every 5 minutes.
In keeping with the general security practice of least privilege, I:
created a user "custom" to use for custom scripts
created a group "custom" (don't want anything running under nobody to have
access) and;
put the script (monitor) in /home/custom/bin
The shebang in the script is:
#!/usr/bin/env python2.7
The only permission given to user custom is:
Inherited from Name Description Action
User - System: Shell account access Indicates whether the user is able to login for example via SSH.
Running the script with the command /home/custom/bin/monitor from the command line works regardless of the current working directory.
I tried doing cd / first to make sure it wasn't a path issue, and the script ran correctly.
The script writes 2 files on the first run, and subsequent runs append to those files in the directory /home/custom/bin/mondata
I installed the CRON package and created the following entry:
*/5 * * * * custom /home/custom/bin/monitor
(There doesn't seem to be an "Apply Changes", so I'm assuming that I don't need to reboot or do anything to load the changes.)
(The above entry and many others are displayed in the WebGUI, and I know that several of those other cron jobs are running.)
After waiting for enough time for the script to run, I checked for output and there was nothing.
Changing custom to root for testing purposes (Just in case the issue was a permission problem) doesn't fix the problem.
Here are the relevant file permissions:
[2.3.2-RELEASE][custom#local]/home/custom/bin: ls -laR ~
total 52
drwxr-xr-x 4 custom nobody 512 Aug 7 00:14 .
drwxr-xr-x 4 root wheel 512 Jul 27 15:24 ..
drwxr-xr-x 3 custom custom 512 Aug 7 00:14 bin
/home/custom/bin:
total 20
drwxr-xr-x 3 custom custom 512 Aug 7 00:14 .
drwxr-xr-x 4 custom nobody 512 Aug 7 00:14 ..
drwxrwx--- 2 custom custom 512 Aug 7 00:07 mondata <-Script output goes here
-rwxr-xr-x 1 custom custom 4663 Aug 5 22:44 monitor <-The script
/home/custom/bin/mondata:
total 8
drwxrwx--- 2 custom custom 512 Aug 7 00:07 . <-NO OUTPUT! (I deleted the files manually after successful tests)
drwxr-xr-x 3 custom custom 512 Aug 7 00:14 ..
I checked for an error message in: Status / System / Logs / System / General - Nothing found.
I even tried temporarily changing the permissions on /home/custom/bin/mondata to 777 and setting the cron user to root
(totally unacceptable security practice just for testing, but even that didn't work.)
I have no way of knowing if the script is running and the file writes are being denied for some reason, or if the script isn't running at all.
BTW, where is the cron tab? When I run crontab -l as root, I get crontab: no crontab for root, but I KNOW cron jobs are running.
(I have the daily mail report running.)
Any suggestions - even for troubleshooting to know if the script is running would be helpful.
Thanks.
The issue was that python was not executing.
The so called "portable" shebang that worked at the command line -
#!/usr/bin/env python2.7
- DOES NOT WORK from cron.
I created the following file as /home/custom/bin/tcron
#!/usr/bin/env python2.7
import os
os.system('/usr/local/bin/minicron')
When run from the command line, it put the minicron error into the log every time it is run, but did nothing when run from cron.
I changed #!/usr/bin/env python2.7 to #!/usr/local/bin/python2.7, and now it works.
I don't know if this is intentional that #!/usr/bin/env python2.7 doesn't work from cron, but for now I'm not going to worry about it.
I hope by documenting this it might save somebody else the same trouble, and if it's a bug that should be reported, someone who knows how to do that will do so.
Related
I have a raspberry pi zero with a python script located in
/home/pi/Documents/camProject
that writes the date and time to a log.txt file.
import datetime
import json
now = datetime.datetime.now()
now = str(now)
with open('log.txt','w') as f:
json.dump(now, f)
print('script complete')
print(now)
I can call and execute the script from the console when I am standing in camProject folder.
pi#raspberrypi:~/Documents/camProject $ sudo python3 "/home/pi/Documents/camProject/test.py"
script complete
2020-10-17 08:39:46.238224
I want this test.py script to run on every reboot, so from the command console I did
sudo crontab -e
In the bottom of the crontab script I wrote
#reboot sudo python3 "/home/pi/Documents/camProject/test.py"
Upon reboot the raspberry pi device nothing happened and the date is not written into the log.txt file. I have tried executing
sudo python3 "/home/pi/Documents/camProject/test.py"
from my home directory
/home/pi
and I see the print out from my test.py in the console but the log.txt is not updated. However, if I execute the same script from the folder where test.py is located, everything works fine. I then checked the permission and in my camProject folder
pi#raspberrypi:~/Documents/camProject $ ls -l
totalt 20
-rwxrwxrwx 1 pi pi 66 okt 17 00:00 camVision.py
-rwxrwxrwx 1 pi pi 28 okt 17 08:50 log.txt
-rwxrwxrwx 1 pi pi 167 okt 17 08:33 test.py
-rwxrwxrwx 1 pi pi 115 okt 17 07:45 test.pyc
drwxrwxrwx 2 pi pi 4096 okt 16 14:50 Video
I guess the problem is related to log.txt is not writeable when test.py is executed from command console when the execution happened to be outside the camProject folder and therefore not by crontab either. I don't know how to fix this problem?
Your program creates the file in the current working directory. cron jobs run in the invoking user's home directory; thus your cron job writes the file in the home directory of root (probaby /root on Debian-based platforms).
Once you create a file as root, it is only writable by root (unless you specifically set permissions to make it world-writable, or assign write access to a specific user group)
Probably change your script to write to /home/pi/log.txt (if that's where you want the file) and make sure the file already exists, or maybe switch to the pi user before creating it if you are running as root. (Once the file exists with the correct owner and permissions, root can append to it without changing the owner or permissions.)
Tangentially, there is no need to use sudo in a cron Job which is already running with full root privileges.
I am trying to run a root cronjob for executing a script.
Here's the cronjob I put into sudo crontab -e:
*/1 * * * * ~/temperature_log/logtemp.sh >> ~/temperature_log/templog.log>&1
The script requires root permission for hddtemp.
Unfortunately, the templog.log file never appears. The syslog says:
Jun 6 13:09:01 user CRON[32433]: (root) CMD (~/temperature_log/logtemp.sh >> ~/temperature_log/templog.log>&1)
Jun 6 13:09:01 user CRON[32426]: (CRON) info (No MTA installed, discarding output)
So apparently, the script IS run, but something goes wrong from there.
Even stranger: If I run a user cron via just crontab -e, the script executes (without root permissions, though, so it is of no use for me) and does write the log file.
How can I make sure that my root crontab works correctly?
I am connecting to this computer via ssh as a user without root permissions, but I do have the root passwort.
EDIT
I changed the program now, I want it to log to syslog via logger. Again, running the script manually works and it logs correctly, but running it from crontab just shows this:
Jun 6 14:27:01 user CRON[1657]: (root) CMD (Jun 6 15:06:01 insystems CRON[25328]: (root) CMD (/bin/sh ~/temperature_log/logtemp.sh)
No information is logged. I added the /dev/null part to get rid of the email warning. I am not planning on installing an email service.
Have you written the script to send email alerts? The warning, "(No MTA installed, discarding output)", happens when a mail service is not installed.
Most Linux distributions have a mail service (including an MTA) installed. Ubuntu doesn't though.
You can install a mail service, postfix for example, to solve this problem.
sudo apt-get install postfix
Also, try providing the full path for the files (The absolute path):
~/temperature_log/logtemp.sh and ~/temperature_log/templog.log
Make sure logtemp.sh has execute permission. If no, then issue command
chmod +x logtemp.sh
My solution was to add the cronjob not to crontab -e but to /etc/crontab. From there, it worked without issues.
I probably made a mistake in the other crontab file, but this solution is okay for me.
I have a script say:
[operations#dojo 2018-02-23--18-10-53 ~ $] ls -l cc_snapshot.sh
-rwxr-xr-x 1 operations users 6006 Feb 23 15:02 cc_snapshot.sh
/etc/cron.allow
operations
crontab -l
*/3 * * * * operations /home/operations/cc_snapshot.sh arg1 arg2 >> /var/log/cc_snapshot.log
However nothing gets printed in the /var/log/cc_snapshot.log.
If I remove the operations user from the cron I do see errors in /var/log/cc_snapshot.log as the script is not supposed to be executed as root user.
Any advise as to what I might be wrong here?
Clearly a file permission issue. root is the supper user in Unix environment and it can execute any script in that system. Hence second error message is coming from your script but not from shell. You script don't want it to be run by root. Check the user account whether it has proper access to the file location and proper permission to execute the script. These are the very common issues in Unix environment. Also check whether your user id is added to proper group or not.
I have a VPS with Nagios installed, and I want to use Nagios to monitor the VPS resources in the /proc/user_beancounters file. The file has the following permissions:
-r-------- 1 root root 0 Oct 26 15:53 /proc/user_beancounters
So I downloaded the script from the Nagios Exchange:
https://exchange.nagios.org/directory/Plugins/Operating-Systems/*-Virtual-Environments/OpenVZ/check-beancounters/details
In the instructions it suggests to:
don’t forget to set the s-bit (chmod +s check_UBC.pl)
So, I copied the script over, and set the s-bit, then run it from the terminal as root. It works as expected. I then delete the temp file it created, su into the nagios user, and run the script. It works as expected. I delete the temp file it created, and start up Nagios. It can't read the /proc/user_beancounters file! The exact error I get, helpfully, is "could not read /proc/user_beancounters". This is, I believe, thrown by the line in the Perl script:
if (! open IN, "<", $UBC )
{
print "could not read $UBC\n";
exit $ERRORS{'CRITICAL'};
}
My OS is CentOS release 6.2 (Final).
My first thought is that it is some kind of SELinux voodoo, but there is no indication that SELinux is running on this server. Just in case, I tried the following:
echo 0 > /selinux/enforce
But this made no difference.
For reference, this is my nagios service running:
nagios 12939 0.0 0.0 203652 3404 ? Ssl 15:39 0:00 /usr/sbin/nagios -d /etc/nagios/nagios.cfg
And this is where I've put the Perl script:
-rwsr-sr-x 1 nagios nagios 2934 Oct 26 15:37 check_UBC.pl
Any suggestions as to what else I can try?
PS apologies if this should go in a different SE site - never sure with questions that involve scripts, permissions etc...
UPDATE 1
I created a shell script to see if I could 'emulate' the nagios service. It is extremely simple:
#!/bin/bash
/usr/lib64/nagios/plugins/check_UBC.pl
And now I have the following permissions:
-rwsr-sr-x 1 root root 2934 Oct 26 15:37 check_UBC.pl
-rwxrwxrwx 1 root root 51 Oct 26 19:29 check_UBC.sh
As root:
[root#/usr/lib64/nagios/plugins]$ ./check_UBC.pl
everything is fine..
[root#/usr/lib64/nagios/plugins]$ ./check_UBC.sh
everything is fine..
As nagios:
-bash-4.1$ ./check_UBC.pl
everything is fine..
-bash-4.1$ ./check_UBC.sh
everything is fine..
So still no clue...
UPDATE 2
My nagios command definition:
define command{
command_name check_beancounters
command_line $USER1$/check_UBC.pl
}
And the service definition:
define service{
use local-service
host_name localhost
service_description VPS Beancounters
check_command check_beancounters
}
UPDATE 3
I managed to get it to work, but am not over the moon about giving the nagios user full sudo access with no password. In /etc/sudoers I put this on the last line:
nagios ALL=(ALL:ALL) NOPASSWD: ALL
And then changed my command definition to:
define command{
command_name check_beancounters
command_line sudo $USER1$/check_UBC.pl
}
Apparently recent versions of linux will not respect the +s permission when running an interpreted script, only a binary. So I guess I will have to compile a binary wrapper for the script?
UPDATE 4
As per Joe Young's suggestion, I changed my visudo entry to:
nagios ALL=NOPASSWD: /usr/lib64/nagios/plugins/check_UBC.pl
Which hopefully is relatively harmless!
Try changing the owner of check_UBC.pl to root so that when nagios executes check_UBC.pl the script runs as setuid of it's owner root and not the nagios user.
chown root:root check_UBC.pl
EDIT:
Can you post your command definition that's calling check_UBC.pl?
The last thing I can think of to try is to install the perl-suid module: https://chrisjean.com/fix-setuid-cannot-exec-sperl/
Although, if check_UBC.pl runs from the command line with no problem, I'm not sure what difference it would make.
What would the risk be to change the permissions on /proc/user_beancounters to 444 (read for all?) It only contains a number, correct? Not sure if that particular file "sticks around" after a reboot, or worse, constantly gets replaced as the services are running, so this could be a problem still.
Also, consider trying to test for actual "existence" of the file, before you attempt to read from it. Since we're in /proc directory, things do change, from time to time....
Lastly, you are asking to open the file, but syntactically is it asking to open in a read only mode? You may want to try a system call to simply "cat" the file contents, in your shell script, and see if you get a response.
I have a very simple script in my crontab that I want to run every day. It is located in /home:
-rwxr-xr-x 1 root root 40 Apr 15 08:01 kill_slony_stop_sql.sh
It has execute permission and here is the content:
#!/bin/bash
slon_kill;rcpostgresql stop
and here is the cron line for it to run daily:
56 12 * * * /home/kill_slony_stop_sql.sh
But it is not working for some reason. When I type /home/kill_slony_stop_sql.sh in the command line, it works good but it is not working in the crontab.
Any thoughts?
It is most likely a PATH issue. Have a look at Why is my crontab not running and be sure to set a PATH so that it can call your slon_kill command.
Also, add some debug to your cron
56 12 * * * /home/kill_slony_stop_sql.sh &>/tmp/errorcron.log
And also look at the logs; cron logs its actions via syslog, which (depending on your setup) often go to /var/log/cron or /var/log/syslog.
I had the same problem with a daily cron job, I used the #daily but this will run at 00:00 every day.
#daily /usr/local/bin/msa70_check.sh
was the cron tab line i added, below is the script i run.
#!/bin/bash
# msa70 disk check
/sbin/mdadm --detail /dev/md0 /dev/md1|
/bin/mailx -s"Disk check on server123 please check" person#domain.com
I also had to edit my script and add /sbin/ and /bin in front of mdadm and mailx for the cron job to run