I have some cron jobs that I am running - mostly backup related stuff.
I am having to backup stuck like /etc/apache2/sites/available etc, which require root access.
I have a couple of questions:
When running on a headless server:
- Which user is the script run under (assuming I do not specify a user in the cron job entry)?
- Is it ok to run the backup script as root - or does that pose a security question?
BTW, my server is running Ubuntu 10.0.4 LTS
If you have secured access to the script sufficiently and made sensible precautions, running something from roots crontab is not usually a security risk.
But don't run a script as root that a non root user can edit or overwrite. This applies to jobs run from cron as well as interactively.
If that script includes other files same applies to them too.
If in doubt always use the principle of least privilege. If you are still unsure you can always ask specific questions on forums and in IRC.
There is (nearly) always a way to run something as a non root user. If all else fails using sudo to limit a user to specific commands also limits the potential to do harm.
So with the example you gave of backing up /etc/apache2/sites-available, that file is by default readable by anyone, so that implies it is access to the destination that is writeable by root only.
You could fix that by
It depends what the scripts are doing. If they are backing stuff up then it's probably fine them being root - if a malicious user overwrites these scripts you've probably got bigger problems anyway.
If they do stupid things like executing files found in directories, or anything that could be influenced by the content of the web directories, then you probably need to look into alternatives.
Millions of cron jobs all over the world are being run as root every day (or whatever period they're set to run).
The important thing is that proper permissions are set. If you're running something that's writable by everybody, then a malicious user or process could change what it's doing.
Cron jobs are run by the owner of the crontab, generally speaking. A user crontab might be in
/var/spool/cron/crontabs/username
for example. Cronjobs that are in/etc/crontab
,/etc/cron.d/
or/etc/cron.hourly
(daily, weekly, monthly) will be run by root. It's important that the ownership and permissions are correct for these crontab files, too.