Here is a quick run down of how I set up a separate user fcrontab and use it for running scripts, including those that require root permissions.
-
Create a non-login system user
useradd -r -U -d / -s /bin/false -c "non root fcrontab user" fcronuser
-r specifies that it is a system user
-U tells it to also create a group with the same name
-d defines the home directory as /, although no home directory is created for system users it is specified in the passwd file
-s defines the login shell, in this case /bin/false means the user cannot log in
-c is a comment about the user. It can be any string you want.
fcronuser is the name I used but it can be whatever you want, as long as it is not already in use
The entry in the passwd file should look something like
fcronuser:x:998:998:non root fcrontab user:/:/bin/false
The uid and gid will be dependent on what other users are already created on your system. -
Create a sudoers file for the fcronuser in
/etc/sudoers.d/
It can be called whatever you want but the simplest is to name it the same as the user so fcronuser
Contents should be
## Allow fcronuser to use sudo without a password
fcronuser ALL=(ALL) NOPASSWD:ALL
This will allow the fcronuser to run scripts that require root permissions by using sudo without needing to use a password
- Then you need to add the new user to the fcron.allow list. Edit
/etc/fcron./allowto add fcronuser to the list which will only include root unless you have already added another user to it.
After editing it should contain at lease the following lines
root
fcronuser
- Create the fcrontab for your new user
fcrontab -u fcronuser -e
-u fcronuser tells fcrontab to use the user fcronuser
-e says to edit the fcronuser fcrontab
Enter whatever scripts you want run with fcron and save the file.
Most scripts will be able to run successfully with the native rights of the fcronuser.
For those that don’t run successfully due to permissions you will need to add sudo at the front.
Below is my fcronuser fcrontab. Three entries run fine as they are. One has to have sudo to execute.
#
# crontab for fcronuser
#
# Restart rhea at 07:30 each day
30 7 * * * /home/fcronuser/scripts/wol_rhea.sh
# Run iapetus backup each Saturday at 21:00
0 21 * * 6 "sudo /home/fcronuser/scripts/iapetus_backup.sh"
# Run speedtest at 06:10, 10:10, 14:10, 18:10 & 22:10
10 2,6,10,14,18,22 * * * /home/fcronuser/scripts/speed_test.sh
# Run the DNS SERVFAIL count script on each Sunday at 01:10
10 1 * * 0 /home/fcronuser/scripts/DNS-SERVFAIL-count.sh
I cannot currently guarantee that this will work without any problems as when I carried it out some while ago I may have had to change some other things that I have forgotten about.
My plan is to take a vm clone of my testbed and run the same commands on that and confirm everything works as expected with a vanilla install but I currently don’t have the time to do that.
If you find any problems flag them up and I will have a look at them.
For information the fcrontabs are stored under /var/spool/cron/ and you should find fcronuser and after some editing fcronuser.orig in that directory.
To ensure that you backup those files in your IPFire backup routine add the line
var/spool/cron/fcronuser*
to the /var/ipfire/backup/include.user file