LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 09-29-2016, 07:00 AM   #1
irishwill2008
LQ Newbie
 
Registered: Sep 2016
Posts: 3

Rep: Reputation: Disabled
How to give a user permission over another users crontab?


Hi there,

I have a user called http and i want to make that user have access to my newly created user called adverts crontab so i can create events in the cron using my account http on behalf of adverts.
Below is the commands i did attempting but no luck.
Says :
must be privileged to use -u.
How do i make myself privileged?
Thanks!

My attempt:
groupadd editcrons
usermod -a -G editcrons http
usermod -a -G editcrons adverts
chown :editcrons /var/spool/cron/adverts
chown adverts /var/spool/cron/adverts
ls -l /var/spool/cron/adverts
-rw------- 1 adverts editcrons 44 Sep 29 10:51 /var/spool/cron/adverts
sudo chmod -R g+w /var/spool/cron/adverts
ls -l /var/spool/cron/adverts
-rw--w---- 1 adverts editcrons 44 Sep 29 10:51 /var/spool/cron/adverts
sudo chmod -R g+w+r /var/spool/cron/adverts
ls -l /var/spool/cron/adverts
-rw-rw---- 1 adverts editcrons 44 Sep 29 10:51 /var/spool/cron/adverts

Last edited by irishwill2008; 09-29-2016 at 08:49 AM.
 
Old 09-29-2016, 07:23 AM   #2
Turbocapitalist
Member
 
Registered: Apr 2005
Distribution: Ubuntu, Devuan, OpenBSD
Posts: 956
Blog Entries: 3

Rep: Reputation: 391Reputation: 391Reputation: 391Reputation: 391
A cron job could run any script or program as that other user. So if you allow the first account to decide the second account's cron jobs, you are letting that first account have carte blanche over that second account. Then I would have to ask what is the point of having a second account?

What tasks are you trying to accomplish?

The tool "sudo" can be modified using the file /etc/sudoers to allow a specific user to run specific commands with defined parameters as another user. Maybe that would be more helpful if any tasks need to be done as that other account.
 
Old 09-29-2016, 07:44 AM   #3
irishwill2008
LQ Newbie
 
Registered: Sep 2016
Posts: 3

Original Poster
Rep: Reputation: Disabled
I have cronjobs in my first account which i dont want to touch as they are doing different type of jobs so i want to have another space to store cronjobs so i created the second account. I have a php script to add or remove cron jobs and that will interfere then if i have it all on one account.

The aim is: http user has cron jobs set and my page: scheduler.php adds schedules to that. I now have another page called ads.php which i am trying to add events to trigger in there to apply ads etc. My servers user is http so if i use: shell_exec("crontab -r"); to remove all the crons then it removes all the crons for the http user (again, messes up my whole system i have going which works). So i want to remove all crons in the new account adverts and i am trying to do it with: shell_exec("crontab -r -u adverts"); but no luck. I dont have permission.

How would i go about giving the user http full access over the account adverts? The account adverts will never be used apart from its crontab. I just want http to access and pretty much control all its crontab events.
Let me know if thats possible thanks!

P.s: I tried using sudo, in my /etc/sudoers i added: http ALL=(ALL) NOPASSWD: ALL and then tried to complete the task with: shell_exec("/usr/bin/sudo crontab -r -u adverts"); but still no luck. The sudo doesnt seem to be triggering.
 
Old 09-29-2016, 08:04 AM   #4
Turbocapitalist
Member
 
Registered: Apr 2005
Distribution: Ubuntu, Devuan, OpenBSD
Posts: 956
Blog Entries: 3

Rep: Reputation: 391Reputation: 391Reputation: 391Reputation: 391
Ok. Thanks.

The /etc/sudoers line you listed above gives root access to the whole machine to the user http and your shell_exec function, and thus it could potentially zap the root crontab instead of the adverts crontab as well as is a general risk.

What you probably want would be something more like this:

Code:
http   ALL=(adverts:adverts) NOPASSWD: /usr/bin/crontab
You might skim through the manual page for sudoers to see if you can interpret that line or if you spot anything useful. But it should allow the following with PHP:

Code:
shell_exec("/usr/bin/sudo -u adverts /usr/bin/crontab -r")
If you pass any variables to the shell, be sure that they are 'sanitized' so you avoid bad surprises.

Anyway, "sudo" is very, very useful and very, very powerful. I'd recommend the book "Sudo Mastery" by Michael W Lucas to get the proper background information about how to safely use it. The manual page for "sudoers" will make a lot more sense after reading the book.

Last edited by Turbocapitalist; 09-29-2016 at 08:16 AM.
 
1 members found this post helpful.
Old 09-29-2016, 08:29 AM   #5
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,601

Rep: Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241
The better way to do it is use a root entry crontab - and that crontab entry uses crontab -u .

But having your account used by httpd is just asking for trouble. If the web server gets compromised, so is the other account.

And the next time you login you might not have the same executables you used to use...

The normal way to do it is to set a directory that the web server has only group access (and no write). Then your account (with group access) can write to it creating read only files for the web server.

This way you keep control over YOUR crontab, and the web server doesn't need any (another security failure there).

You can then create as many accounts as member of the shared group - with the understanding that the files to be put there are group read only (directories may be group rx).

This partitioning protects the accounts, AND prevents the web server from gaining a shell access if it gets hacked. AND it prevents a hacked web server from altering the contents of the directory.

Last edited by jpollard; 09-29-2016 at 08:35 AM.
 
Old 09-29-2016, 08:31 AM   #6
Habitual
LQ Addict
 
Registered: Jan 2011
Location: Youngstown, Ohio
Distribution: LM17.1/Xfce4.11.8
Posts: 7,159
Blog Entries: 10

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
Sudo: you're doing it wrong - PDF seems prudent here.

fascinating.
 
Old 09-29-2016, 08:38 AM   #7
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,601

Rep: Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241
Quote:
Originally Posted by Turbocapitalist View Post
Ok. Thanks.

The /etc/sudoers line you listed above gives root access to the whole machine to the user http and your shell_exec function, and thus it could potentially zap the root crontab instead of the adverts crontab as well as is a general risk.

What you probably want would be something more like this:

Code:
http   ALL=(adverts:adverts) NOPASSWD: /usr/bin/crontab
which still give access to the entire system (all you have to do is specify "root" as the user and you get to run anything as root).
 
1 members found this post helpful.
Old 09-29-2016, 08:44 AM   #8
Turbocapitalist
Member
 
Registered: Apr 2005
Distribution: Ubuntu, Devuan, OpenBSD
Posts: 956
Blog Entries: 3

Rep: Reputation: 391Reputation: 391Reputation: 391Reputation: 391
Quote:
Originally Posted by jpollard View Post
which still give access to the entire system (all you have to do is specify "root" as the user and you get to run anything as root).
The part in the parentheses prevents that and limits "sudo" to acting as the user adverts for just that one command and no others. The only liability I see with that set up is that the cron job can be set up to run any scripts or commands as the user adverts. Perhaps it is better tightened down further to allow http to only clear the crontab:

Code:
http   ALL=(adverts:adverts) NOPASSWD: /usr/bin/crontab -r
That presumes that adverts itself will fill the crontab on its own.
 
Old 09-29-2016, 08:46 AM   #9
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,601

Rep: Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241
I still think giving only group access is much more secure. Allowing a hacked web server to access cron still gives shell access.
 
Old 09-29-2016, 08:49 AM   #10
irishwill2008
LQ Newbie
 
Registered: Sep 2016
Posts: 3

Original Poster
Rep: Reputation: Disabled
Hi there,

Issue was that i needed to give full paths to the commands. Example: /usr/bin/sudo /usr/bin/crontab
All worked! I only realized yous gave me that result by refreshing moments ago but was too late as i figured it out haha.

Thanks very much! Really appreciate it I will use some of the tips above with the sudoers config
Cheers!
 
Old 09-29-2016, 08:55 AM   #11
Turbocapitalist
Member
 
Registered: Apr 2005
Distribution: Ubuntu, Devuan, OpenBSD
Posts: 956
Blog Entries: 3

Rep: Reputation: 391Reputation: 391Reputation: 391Reputation: 391
Ok. Great that it's working.

Quote:
Originally Posted by jpollard View Post
I still think giving only group access is much more secure. Allowing a hacked web server to access cron still gives shell access.
Yes, access to cron gives shell access, as hinted perhaps too indirectly in #2 above.

irishwill2008, I also agree with jpollard about the groups. You might see how much can be done without using crontab at all.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
give permission for users to log on to either of two linux servers ralphcatech Linux - Newbie 1 04-05-2011 07:55 PM
Help with user permission level--give access to a user 2 use 500 servers svani Linux - Newbie 2 06-17-2010 09:57 PM
give regular users permission to NTFS drives carl0ski SUSE / openSUSE 24 12-31-2005 09:30 PM
give users permission to install software in their directory? ksgill Linux - Newbie 7 12-17-2003 12:16 PM
How do I give users read but not delete permission suse7.1user Linux - General 2 09-03-2003 06:13 PM


All times are GMT -5. The time now is 08:12 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration