Crontab Permission denied for site user

Hey everybody :upside_down_face:

CMK version: Check_MK version 2.1.0p19 CRE
OS version: Ubuntu 20.04.5 LTS (Hyper-V Guest)

Description of the problem: (Site) user is not allowed to use crontab command/program

Error message:

root@machine:~# omd start test
Temporary filesystem already mounted
Starting agent-receiver...OK
Starting mkeventd...OK
Starting rrdcached...OK
Starting npcd...OK
Starting nagios...OK
Starting apache...OK
Starting redis...OK
Initializing Crontab.../etc/cron.allow: Permission denied
You (test) are not allowed to use this program (crontab)
See crontab(1) for more information
Exception ignored in: <_io.TextIOWrapper name='<stdout>' mode='w' encoding='utf-8'>
BrokenPipeError: [Errno 32] Broken pipe
ERROR

root@machine:~# omd stop test
Removing Crontab.../etc/cron.allow: Permission denied
You (test) are not allowed to use this program (crontab)
See crontab(1) for more information
Stopping redis...killing 55241...OK
Stopping apache...killing 55230.................OK
Stopping nagios....OK
Stopping npcd...OK
Stopping rrdcached...waiting for termination...OK
Stopping mkeventd...killing 55140....OK
Stopping agent-receiver...killing 55132...OK
Stopping 1 remaining site processes...OK

I have seen similiar problems here but nothing helped. I tried changing the rights of /etc/crontab and dpkg-reconfigure cron. Some more outputs which might help:

First steps for Troubleshooting:

  • The user is in the /etc/cron.allow, there is no /etc/cron.deny.
  • I have manually created a user which was also not able to use crontab. So there is a good chance, it has nothing to do directly with the user created during the creation of the site.
  • root is allowed to use crontab. If I use sudo with a normal user the user is also allowed to use crontab.
root@machine:~# stat /etc/crontab
  File: /etc/crontab
  Size: 1042            Blocks: 8          IO Block: 4096   regular file
Device: fd00h/64768d    Inode: 524974      Links: 1
Access: (0700/-rwx------)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2023-01-21 17:47:42.858087500 +0300
Modify: 2023-01-16 23:46:12.331254158 +0300
Change: 2023-01-21 16:26:09.258753718 +0300
 Birth: -

It is worth mentioning that I had to implement some CIS Benchmarks during setup of the machine itself. Even though I don’t think that they are connected with my problem, here are the relevant ones:

# CIS 5.1.2
chown root:root /etc/crontab
chmod og-rwx /etc/crontab
# CIS 5.1.3
chown root:root /etc/cron.hourly
chmod og-rwx /etc/cron.hourly
# CIS 5.1.4
chown root:root /etc/cron.daily
chmod og-rwx /etc/cron.daily
# CIS 5.1.5
chown root:root /etc/cron.weekly
chmod og-rwx /etc/cron.weekly
# CIS 5.1.6
chown root:root /etc/cron.monthly
chmod og-rwx /etc/cron.monthly
# CIS 5.1.7
chown root:root /etc/cron.d
chmod og-rwx /etc/cron.d

# Prevent blacklist behavior
rm /etc/cron.deny
rm /etc/at.deny
# Force whitelist behavior
touch /etc/cron.allow
touch /etc/at.allow
# Customize file permissions
chmod o-rwx /etc/cron.allow
chmod g-wx /etc/cron.allow
chmod o-rwx /etc/at.allow
chmod g-wx /etc/at.allow
chown root:root /etc/cron.allow
chown root:root /etc/at.allow

I don’t think that checkmk eg. changes the permissions of system files and as it also happens to normal users. Hopefully somebody has an idea where to look for.

I really appreciate your help! :pray:

It is part of a specification I had to implement to comply with company rules and basically limits who can use crontab. But, as I have written, my monitoring user is in that file.

With your user listed in /etc/cron.allow, I am just as surprised as you.

Can you run crontab manually (instead of through the omd script) as that user?
Perhaps strace -f a failing command for a hint to where exactly it stumbles?

I think /etc/cron.allow has to be readable.

From crontab(1):

The files /etc/cron.allow and /etc/cron.deny if, they exist, must be either world-readable, or readable by group crontab. If they are not, then cron will deny access to all users until the permissions are fixed.

3 Likes

Even strace gave me an ‘operation not permitted’… It must have something to do with the safety regulations. I will start over and install from scratch, this time by installing checkmk first and regulary trying to start the site up to that point where it fails.

Thanks for now, I really apreciate your effort.

@r.sander

Thanks for the advice. I already reverted to an early snapshot I had. crontab was working even after I set the file permissions which I instantly did to check if this was the problem.

Security is a nice thing, but too often this leads to weird behaviour…

As for now it looks like some of the security related configurations I had to made dont’t work with each other and I have to report that internally.

As soon as I created the cron.allow file no user except root was able to use crontab. I started over with the old snapshot and now everything is working fine.

Thanks everybody!

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.