having problem chown-ing a file so the cron runs it as its own user
For security, I am changing some of the running cron scripts so they run as user:dbscripts instead of the root user.
This should hopefully lock down their permissions. The following script runs a daily backup and FTP's it to a server. It is set to tar the file into the following directory: drwxr-xr-x 2 root root 4096 Aug 16 02:31 myscripts So, I chown the entire folder to dbscripts and 777 it. drwxrwxrwx 2 dbscripts dbscripts 4096 Aug 16 02:31 myscripts I then login as dbscripts and run the daily backup: -rwxrwxr-x 1 dbscripts dbscripts 347 Aug 16 02:04 dailybackup.sh However, I get a permission denied on the folder but the rest of the FTP runs correctly: Code:
[root@localhost myscripts]# su dbscripts |
Quote:
Quote:
Quote:
|
Quote:
Is it okay to run these scripts as root from the crontab then? One of scripts that runs is a PHP script with exec command in there. I have escaped the input with escapeshellcmd but if it's running as root and someone manages to put an SQL in jection attack into the remote database then it could cause issues? Quote:
The centOS docs did look more like server architecture than permissions stuff (http://www.centos.org/docs/5/). I need a rute for RHEL So, do I need to change the user running from crontab? If so, I: - create a user - copy all the scripts to the new directory - chown that directory to the new user When I do that the script won't run as it seems the new user does not have access to read: Code:
/bin/tar: Removing leading `/' from member names |
Quote:
Quote:
|
Quote:
Because if the permissions are 775 on the file, then only newuser and the newuser group will be able to execute it. |
It is best to keep scripts owned by root in a location in line with the FSSTND / FHS / LSB (or whatever other system layout standard is current). Scripts that are system cronjobs go in the various /etc/cron\..* dirs, local additions go in /usr/local, so shell scripts that are run manually by root (not executed by unprivileged users) could be in /usr/local/sbin with octal mode 0750.
|
Quote:
there are some examples in the /etc/sudoers file. |
Quote:
Code:
[dbscripts@localhost myscripts]$ ./add_remove_squid_users.php Code:
User_Alias PROXYACCESS = dbscripts |
Quote:
but...can that user use sudo to update the squid passwd file from command line? |
Quote:
Code:
[dbscripts@localhost myscripts]$ sudo ./add_remove_squid_users.php |
You would be better off just putting a single line in sudoers that specified that user for that job only, something like:
dbscripts thishost=(root) /dir/backscript.sh but post your whole sudoers file so we can advise better. General format is usernames/group servername = (usernames command can be run as) command BTW, you probably need this in regards to your 'Rute for RHEL' comment: http://www.linuxtopia.org/online_boo...ion/index.html It covers most stuff and is fairly clear. Just don't try to rush things. |
Quote:
Code:
## Sudoers allows particular users to run various commands as |
Ok, so you've declared a couple of aliases
Quote:
Effectively (in programming terms) you've declared 'variables', but not created any 'cmds'. |
Quote:
|
Quote:
|
All times are GMT -5. The time now is 01:25 AM. |