cron for chrooted users

metobln · 04-19-2005, 10:00 AM

Is this possible?

I got a chrooted environment for my users.

I copied crontab and all necessary libs to that environment and when running crontab everything looks fine. root runs a cronjob every minute and copies all new crontab-files into the real spool. But the cronjobs just don't run. Is there anything I'm missing?

Here is some more detailed information of the environment.

Code:

|-home
|     \-{user}
|            |-home
|            |     \-{user}
|            |-var
|            |    \-spool
|            |-bin      \-cron
|            |-etc           \-crontabs
|            \-lib                     \-{user}
|-var 
|    \-spool
|           \-cron
|-var             \-crontabs
|-bin                       \-{user}
|-etc
\-lib

Red is the chrooted environment

If a chrooted user now edits his crontab, the crontab-file will be written to /home/{user}/var/spool/cron/crontabs/{user}

Since this is not the right path cron will be looking for, I set up a cronjob for root that runs every single minute. The script that is called checks (diff with a backup) if the crontab-files contain any updates. If so, all commands inside the crontab will be chrooted too and the modified file will be written to the right place: /var/spool/cron/crontabs/{user}

An example what is inside a generated crontabfile:

Quote:

# DO NOT EDIT THIS FILE - edit the master and reinstall.
# (crontab.test installed on Tue Apr 19 13:30:12 2005)
# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
* * * * * chroot /home/testuser echo "test" > /home/testuser/testfile

Yes, I see that warning about not editing these files.

But there is no other way since crontab won't write to the correct path when called from inside the chrooted environment.

Until here everything is fine. But as I mentioned above the jobs inside the generated crontab-files won't be executed.

I restarted the crond, but that did not help. Is there anything I can do to make cronjobs accessible by my chrooted users?

I'm very thankful for every hint you can give me.

Regards,
Daniel

Darin · 04-20-2005, 05:14 AM

I'm not a cron expert, but would it be easier, or even possible, to make a new (root) cron job that checks for jobs in the chrooted environment and then executes them chrooted from there when needed? This seems easier than setting up a seperate cron in the chrooted environment, you just check for cron jobs in the user's home directories and run them chrooted. I'm not sure how well that would work, but it seems easier than copying everything out of the environment and then trying to run it.

metobln · 04-20-2005, 12:06 PM

Hi Darin,

thanks for your reply. I don't think it's the best solutions to run the users cronjobs as root. Even if there was no security risk by running the jobs in chroot all generated files would be owned by root.

I did not see the real problem yesterday. Actually the jobs have been executed after restarting the crond. I should have checked the mail of the testuser earlier. For some reason the command chroot was not accessible by the user.

Quote:

/bin/sh: chroot: Permission denied

But I solved the problem now. I didn't know about the possibility of setting the shell inside the crontab with the variable SHELL.

So what I am doing now is setting the user's shell to "/usr/local/bin/jail", which is the same shell they are using when login. This jail is the original shell developed by Juan M. Casillas, published in the Jail Chroot Project (http://sourceforge.net/projects/jail).

Everything is working fine now. The only thing I don't like is the fact that I have to restart the crond. Would be great if there was another way to make cron accept the modified crontab-files.

Regards,
Daniel

Darin · 04-22-2005, 03:31 AM

I may have made that sound overly confusing, what I meant was can you make a root cron job that checks for jobs in the user directories and then runs them as the user and in the jail space?

metobln · 04-24-2005, 05:39 AM

I'm a newbie to the linux world, but I guess that should be possible too.

But I'm happy that my basic system is running now.

If I notice any site-effects, i.e. cronjobs will not be executed because of restarting crond, I will investigate that possibility. But I kinda like the way it is working now. Except that restarting of crond...