My fcrontab file has been replaced by a new one

Two or three days ago I tried this also! It didn’t work for me either! It looks like our only choices are these:

[root@ipfire etc] # ls -al /etc/fc*

-rw-r----- 1 root cron    5 Feb  7 06:58 /etc/fcron.allow
-rw-r----- 1 root cron  670 Mar 11 22:04 /etc/fcron.conf
-rw-r----- 1 root cron    4 Feb  7 06:58 /etc/fcron.deny

total 12
drwxr-xr-x  2 root root 4096 Feb  7 08:48 .
drwxr-xr-x 54 root root 4096 Jun 12 03:51 ..
-rw-r--r--  1 root root   34 Feb  7 06:58 info.txt

total 24
drwxr-xr-x  2 root root 4096 Apr 26 08:46 .
drwxr-xr-x 54 root root 4096 Jun 12 03:51 ..
-rw-r--r--  1 root root   33 Feb  7 06:58 info.txt

total 12
drwxr-xr-x  2 root root 4096 Mar  9 13:48 .
drwxr-xr-x 54 root root 4096 Jun 12 03:51 ..
-rw-r--r--  1 root root   34 Feb  7 06:58 info.txt

total 12
drwxr-xr-x  2 root root 4096 Feb  7 08:48 .
drwxr-xr-x 54 root root 4096 Jun 12 03:51 ..
-rw-r--r--  1 root root   36 Feb  7 06:58 info.txt

total 12
drwxr-xr-x  2 root root 4096 Apr 24 20:16 .
drwxr-xr-x 54 root root 4096 Jun 12 03:51 ..
-rw-r--r--  1 root root   35 Feb  7 06:58 info.txt

total 16
drwxr-xr-x  2 root root 4096 Apr 24 20:42 .
drwxr-xr-x 54 root root 4096 Jun 12 03:51 ..
-rw-r--r--  1 root root   34 Feb  7 06:58 info.txt

Hello to everyone,

I’ve the same problem after upgrade core 168 (but I had seen the notification and had planned a backup :wink: )
Did anyone finally manage to run custom cron lines ?
Because from what I understood below you can do it by creating a user (and giving him sudoers rights if you want to do admin tasks) but after that…where do you put the scripts or cron lines that call on them ?

Please…If someone has managed to make this work, can he please detail the steps to follow ?
(it would also be interesting to add the steps on the Ipfire Wiki :wink: )

My Ipfire:

IPFire version IPFire 2.27 (x86_64) - core168
Pakfire version 2.27-x86_64
Kernel version Linux 5.15.35-ipfire #1 SMP Tue Apr 26 10:56:57 GMT 2022 x86_64 Intel(R) Atom™ CPU C3758 @ 2.20GHz GenuineIntel GNU/Linux

Many thanks

I have it running on my production system and have been planning to do a wiki page for this but other activities/problems got in the way.

I will try and write it up in this thread in the next few days.


Thanks a lot Adolf…I’m waiting for your news :wink:

Very odd occurrence…

I updated from CU 168 to CU 169 and nothing was lost in the fcrontab. (no backup/restore was done).

I did a /usr/bin/fcrontab -l > /root/backup/fcrontab.backup just to save a copy but it was not needed.

Hi Jon,

Just had a look through CU169 and fcron or fcrontab was not modified in this update. It was also not touched by the update script, had a look through to confirm.

So the fcrontab should not have been touched at all.

So not sure what happened with @tikok974


Hello everyone,

The modification was made between the passage of the core 167 to the core 168. It is in core 168 that the change was made :wink:
See: - IPFire 2.27 - Core Update 168 released

Have a nice day

Here is a quick run down of how I set up a separate user fcrontab and use it for running scripts, including those that require root permissions.

  1. Create a non-login system user
    useradd -r -U -d / -s /bin/false -c "non root fcrontab user" fcronuser
    -r specifies that it is a system user
    -U tells it to also create a group with the same name
    -d defines the home directory as /, although no home directory is created for system users it is specified in the passwd file
    -s defines the login shell, in this case /bin/false means the user cannot log in
    -c is a comment about the user. It can be any string you want.
    fcronuser is the name I used but it can be whatever you want, as long as it is not already in use
    The entry in the passwd file should look something like
    fcronuser:x:998:998:non root fcrontab user:/:/bin/false
    The uid and gid will be dependent on what other users are already created on your system.

  2. Create a sudoers file for the fcronuser in /etc/sudoers.d/
    It can be called whatever you want but the simplest is to name it the same as the user so fcronuser
    Contents should be

## Allow fcronuser to use sudo without a password
fcronuser       ALL=(ALL) NOPASSWD:ALL

This will allow the fcronuser to run scripts that require root permissions by using sudo without needing to use a password

  1. Then you need to add the new user to the fcron.allow list. Edit /etc/fcron./allow to add fcronuser to the list which will only include root unless you have already added another user to it.
    After editing it should contain at lease the following lines
  1. Create the fcrontab for your new user
    fcrontab -u fcronuser -e
    -u fcronuser tells fcrontab to use the user fcronuser
    -e says to edit the fcronuser fcrontab
    Enter whatever scripts you want run with fcron and save the file.
    Most scripts will be able to run successfully with the native rights of the fcronuser.
    For those that don’t run successfully due to permissions you will need to add sudo at the front.
    Below is my fcronuser fcrontab. Three entries run fine as they are. One has to have sudo to execute.
# crontab for fcronuser

# Restart rhea at 07:30 each day
30 7 * * * /home/fcronuser/scripts/

# Run iapetus backup each Saturday at 21:00
0 21 * * 6 "sudo /home/fcronuser/scripts/"

# Run speedtest at 06:10, 10:10, 14:10, 18:10 & 22:10
10 2,6,10,14,18,22 * * * /home/fcronuser/scripts/

# Run the DNS SERVFAIL count script on each Sunday at 01:10
10 1 * * 0 /home/fcronuser/scripts/

I cannot currently guarantee that this will work without any problems as when I carried it out some while ago I may have had to change some other things that I have forgotten about.
My plan is to take a vm clone of my testbed and run the same commands on that and confirm everything works as expected with a vanilla install but I currently don’t have the time to do that.

If you find any problems flag them up and I will have a look at them.

For information the fcrontabs are stored under /var/spool/cron/ and you should find fcronuser and after some editing fcronuser.orig in that directory.
To ensure that you backup those files in your IPFire backup routine add the line
to the /var/ipfire/backup/include.user file


Hi Adolf,

Many thanks.


Hi @jon

Where is the best place in the wiki to put my screed about user fcrontabs and how do I get the right directory structure put in place?

Wow! That is a tough one! I honestly do not know.

How about under - Noteworthy packages with the title of “fcron”?

You can click here to get started:

Just click the CREATE NOW button.

Thanks Jon. That helps.

I don’t have the time to do it now as I am having to work on my mail server as the main disk is starting to fail but I know how to approach it now, when I get round to it.

1 Like

@bonnietwin I take the offer :smile:

Purpose: changing RPF from strict to relaxed when my web server issues a certbot renew (see Reverse Path Filtering prevents certbot renewal using HTTP-1 acme-challenge - #2 by cfusco for context).

I followed your tutorial almost to the to the letter, with the purpose to execute a script that sets RPF to 2 and then after 15 minutes it reverts to the default. During that window, my webserver is free to issue a certbot renew command.

This is the fcrontab for the fcronuser:

0 0 * * 7 "sudo /home/cfusco/bin/ 2"
15 0 * * 7 "sudo /home/cfusco/bin/ 1"

This is the script it calls:


# set strictness of Reverse Path Filtering; see RFC 3704, #
# section 2.2: 1, RPF strict; 2, RPF relaxed              #

###### Initialization steps ######
exec 1>>$LOG 2>&1                   # write stdout to $LOG, stderr goes to stdout
level=$1                            # 1 for strict or 2 for relaxed

##### Functions ######
function run() {                    # wrapper call for error handling, spins a subshell
    cmd_output=$(eval $1)
    [[ $return_value != 0 ]] && echo "Command $1 failed" && echo -e "${cmd_output}" \
            || echo -e "* $1 Output:\n${cmd_output}" "\nCommand $1 succeeded."
    return $return_value

function logDate() {                 # log a time stamped message
    date=$(date '+%Y-%m-%d %H:%M:%S')
    echo -e "\n---\n" "$date" ": $1 \n---"

function changeRPF() {               # change RPF value
    if [[ $level == 1 || $level == 2 ]]; then
         sysctl net.ipv4.conf.default.rp_filter=$level
         sysctl net.ipv4.conf.all.rp_filter=$level
         echo "either 1 or 2, instead you entered: "$level
         return -1

##### Main Routine ######
logDate "Changing RPF strictness"
run "changeRPF"

The error I got in the logs is:

 2022-09-11 00:00:00 : Changing RPF strictness 
/home/cfusco/bin/ line 29: sysctl: command not found
/home/cfusco/bin/ line 30: sysctl: command not found
* changeRPF Output:
Command changeRPF failed.

 2022-09-11 00:15:00 : Changing RPF strictness 
/home/cfusco/bin/ line 29: sysctl: command not found
/home/cfusco/bin/ line 30: sysctl: command not found
* changeRPF Output:
Command changeRPF failed.

do you have any idea why executing the script, fcronuser cannot find sysctl? It’s not a matter of permission, becase if I run the command as user cfusco, i get

 2022-09-11 11:27:53 : Changing RPF strictness 
sysctl: permission denied on key "net.ipv4.conf.default.rp_filter"
sysctl: permission denied on key "net.ipv4.conf.all.rp_filter"
Command changeRPF failed

I am lost here.

Hi @cfusco

Always glad to try and help if I am able to. :grin:

In this case I may be able to help. When a system user is created, without a home directory then sometimes the path environment variable for that user does not cover what you want to access. Also I have sometimes found that no matter what I do with a path environment variable cron or fcron refuse to be able to find a binary.
Therefore I always write the cron/fcron binary command with a full path specified.
I would give that a try and see if it solves your issue.

If it doesn’t solve the issue then I will need to test out your script and commands in my vm testbed to obtain a better idea.

Incidentally, I am also using letsencrypt on my network but I currently don’t have a webserver running so I am doing the http-01 challenge with the certbot standalone command and it starts up a webserver just for the challenge and afterwards shuts it down. I don’t have any issues with RPF. My certificates were successfully updated about 10 days ago.

I will eventually put a web server in place for a webmail system and will then be doing the same as you. Will let you know how that goes when I get round to it and if I see the same issue as you have been experiencing.

That you do, and I am extremely grateful for that. Thank you.

You did indeed. It was so obvious, I feel silly not to have connected my brain. It works beautifully now.

That would be great, especially if you post it in that thread. Thank you again.

@bonnietwin I hope you do not mind that I did it. The procedure is correct as I have tested it myself. The text is only occasionally modified just for minor adjustments to a wiki entry style, but feel free to change it as you deem necessary. Thank you for the great tutorial.


No problems at all. I have been strapped for time so haven’t been able to get round to it. Glad you could help.

1 Like

Just had a look through the new fcron wiki entry you created. It looks great :+1:


Will the links below be helpful?


1 Like

@tphz Thank you, I have added the link in the notes.

1 Like