Hi!
I’m getting a surprising error when attempting to list the fcrontab of fcronuser when logged in as that user.
I’ve following the instructions at the wiki post below to set up an `fcronuser` who’ll have their own crontab.
I’m creating this user because I’d been adding lines to root’s fcrontab, but these get overwritten on an IPFire upgrade (as explained in the forum post Crontab entry deleted after upgrading IPFire from Core 188 to 198 ).
I’ve followed the instructions closely. (Note: I had created a user using the useradd command specified in the post, but then decided I wanted them to have their own home directory, so deleted the user with userdel and then added them again, this time specifying -m instead of -c /. All other args remained the same. I expect the new user to be able to reuse the eponymous group created the first time. I mention this, in case it matters.)
I then followed the rest of the instructions, creating the entry /etc/sudoers.d/fcronuser and adding the user to /etc/fcron.allow, and finally added an fcrontab file with the desired entries.
I then opened a shell as fcronuser with the intent to check their fcrontab and run the various commands as that user, in order to apply the minimum amount of sudo for the commands run under fcrontab as fcronuser to work.
As root:
[root@ipfire cron]# sudo -u fcronuser bash --login -i
bash-5.3$
This approach allows me to bypass the fact that the fcronuser has /bin/false as their login shell.
I am indeed who I think I am:
bash-5.3$ id
uid=999(fcronuser) gid=999(fcronuser) groups=999(fcronuser)
When I go to list the fcrontab entries from this new shell, though, I get the following error.
Here’s the complete transcript, from opening a bash shell as fcronuser and attempting to list their fcrontab:
[root@ipfire cron]# sudo -u fcronuser bash --login -i
bash-5.3$ fcrontab -l
2026-01-20 14:36:26 ERROR could not change euid to 104: Operation not permitted
2026-01-20 14:36:26 ERROR fcron child aborted: this does not affect the main fcron daemon, but this may prevent a job from being run or an email from being sent.
Double-checking everything (including the spelling of fcronuser!), I see the account has been correctly created:
bash-5.3$ grep fcronuser /etc/passwd
fcronuser:x:999:999:non root fcrontab user:/home/fcronuser:/bin/false
There’s a valid entry in /etc/sudoers.d/fcronuser:
bash-5.3$ sudo cat /etc/sudoers.d/fcronuser
## Allow fcronuser to use sudo without a password
fcronuser ALL=(ALL) NOPASSWD:ALL
They’re in /etc/fcron.allow:
bash-5.3$ sudo cat /etc/fcron.allow
root
fcronuser
Probably the problem is that their don’t own their own fcrontab file:
bash-5.3$ sudo ls -l /var/spool/cron/fcronuser.orig
-rw-r----- 1 cron cron 526 Jan 20 14:11 /var/spool/cron/fcronuser.orig
bash-5.3$ cat /var/spool/cron/fcronuser.orig
cat: /var/spool/cron/fcronuser.orig: Permission denied
bash-5.3$ sudo cat /var/spool/cron/fcronuser.orig
<file content displayed, but redacted for clarity>
Given the user can’t see their own fcrontab, even if I edit it as root to add the appropriate sudo invocations, I have no confidence it’s going to be executed successfully.
What do you recommend?