Hey everybody
CMK version: Check_MK version 2.1.0p19 CRE
OS version: Ubuntu 20.04.5 LTS (Hyper-V Guest)
Description of the problem: (Site) user is not allowed to use crontab command/program
Error message:
root@machine:~# omd start test
Temporary filesystem already mounted
Starting agent-receiver...OK
Starting mkeventd...OK
Starting rrdcached...OK
Starting npcd...OK
Starting nagios...OK
Starting apache...OK
Starting redis...OK
Initializing Crontab.../etc/cron.allow: Permission denied
You (test) are not allowed to use this program (crontab)
See crontab(1) for more information
Exception ignored in: <_io.TextIOWrapper name='<stdout>' mode='w' encoding='utf-8'>
BrokenPipeError: [Errno 32] Broken pipe
ERROR
root@machine:~# omd stop test
Removing Crontab.../etc/cron.allow: Permission denied
You (test) are not allowed to use this program (crontab)
See crontab(1) for more information
Stopping redis...killing 55241...OK
Stopping apache...killing 55230.................OK
Stopping nagios....OK
Stopping npcd...OK
Stopping rrdcached...waiting for termination...OK
Stopping mkeventd...killing 55140....OK
Stopping agent-receiver...killing 55132...OK
Stopping 1 remaining site processes...OK
I have seen similiar problems here but nothing helped. I tried changing the rights of /etc/crontab and dpkg-reconfigure cron. Some more outputs which might help:
First steps for Troubleshooting:
- The user is in the /etc/cron.allow, there is no /etc/cron.deny.
- I have manually created a user which was also not able to use crontab. So there is a good chance, it has nothing to do directly with the user created during the creation of the site.
- root is allowed to use crontab. If I use sudo with a normal user the user is also allowed to use crontab.
root@machine:~# stat /etc/crontab
File: /etc/crontab
Size: 1042 Blocks: 8 IO Block: 4096 regular file
Device: fd00h/64768d Inode: 524974 Links: 1
Access: (0700/-rwx------) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2023-01-21 17:47:42.858087500 +0300
Modify: 2023-01-16 23:46:12.331254158 +0300
Change: 2023-01-21 16:26:09.258753718 +0300
Birth: -
It is worth mentioning that I had to implement some CIS Benchmarks during setup of the machine itself. Even though I don’t think that they are connected with my problem, here are the relevant ones:
# CIS 5.1.2
chown root:root /etc/crontab
chmod og-rwx /etc/crontab
# CIS 5.1.3
chown root:root /etc/cron.hourly
chmod og-rwx /etc/cron.hourly
# CIS 5.1.4
chown root:root /etc/cron.daily
chmod og-rwx /etc/cron.daily
# CIS 5.1.5
chown root:root /etc/cron.weekly
chmod og-rwx /etc/cron.weekly
# CIS 5.1.6
chown root:root /etc/cron.monthly
chmod og-rwx /etc/cron.monthly
# CIS 5.1.7
chown root:root /etc/cron.d
chmod og-rwx /etc/cron.d
# Prevent blacklist behavior
rm /etc/cron.deny
rm /etc/at.deny
# Force whitelist behavior
touch /etc/cron.allow
touch /etc/at.allow
# Customize file permissions
chmod o-rwx /etc/cron.allow
chmod g-wx /etc/cron.allow
chmod o-rwx /etc/at.allow
chmod g-wx /etc/at.allow
chown root:root /etc/cron.allow
chown root:root /etc/at.allow
I don’t think that checkmk eg. changes the permissions of system files and as it also happens to normal users. Hopefully somebody has an idea where to look for.
I really appreciate your help!