crontab and syslog, new "feature"

Hi,

I had a crontab entry for user “news” in 11.2:

-3,8,33,38,20,50 * * * * /var/lib/news/bin/cronfetchnews

In 11.4 if I try to edit that line, I get:

File /tmp/crontab.kb855D saved
crontab: installing new crontab
“/tmp/crontab.kb855D”:5: bad option
errors in crontab file, can’t install.
Do you want to retry the same edit?

without saying what the error is. In the syslog I get:

<9.6> 2011-06-03 21:31:35 Telcontar crontab 19200 - - (CRON) ERROR (Only
privileged user can disable logging)

So, the “dash” is illegal now. How can I make it legal again? I don’t want
that feature. Nothing in the man page I can see.


Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

Looking at lines 109 onwards here

https://fedorahosted.org/cronie/browser/src/entry.c

it seems to be a standard feature of cronie. Maybe picket the cronie development HQ? I haven’t checked if the latest version is displayed there.

Looking at the man page for the old crontab which I have here, it seems it was always a restriction, only now enforced:

If the uid of the owner is 0 (root), he can put a “-” as first charac-
ter of a crontab entry. This will prevent cron from writing a syslog
message about this command getting executed.

I guess you can just add some rules in /etc/rsyslog.conf to filter out (ignore) all but warnings and errors from cron if desired.

I dump all cron output to cron.log

cron.*    /var/log/cron.log

but you may prefer to filter the different message types (error,warn, info, crit, alert etc) to different places eg

cron.info,notice    /dev/null

On 2011-06-04 01:06, ken yap wrote:
>
> Looking at lines 109 onwards here
>
> https://fedorahosted.org/cronie/browser/src/entry.c
>
> it seems to be a standard feature of cronie. Maybe picket the cronie
> development HQ? I haven’t checked if the latest version is displayed
> there.

Rings a bell. Didn’t we have some other “brand” of cron, and then we, I
mean, oS, change to cronie?

(reading the code…)

Argh. It is hardcoded, no bypass unless I patch the code myself. :-/

I’ll have to move the entry to /etc/crontab, which allows assigning the
user that runs each entry. But on each upgrade, I’ll get trouble.


Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

On 2011-06-04 01:06, ken yap wrote:

> it seems to be a standard feature of cronie. Maybe picket the cronie
> development HQ? I haven’t checked if the latest version is displayed
> there.

Forgot to mention. If the first char is a dash, instead of ignoring the
dash and executing the entry, it is not run at all. Not logged, not run.
You notice the problem when you do not find the expected results elsewhere
of the non running cron entry.


Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

You can also put it in /etc/cron.d which is not touched in upgrades, but if you reinstall, you have to remember to restore it.

But as I understand the code, it tests that the uid is 0. So if you try to run the job as another user, it blocks execution. Unless it changes uid after the check. Only reading the code can tell.

Then again, why worry about extra entries in syslog? Logrotate will take care of them.

On 2011-06-04 03:36, deano ferrari wrote:
>
> I guess you can just add some rules in /etc/rsyslog.conf to filter out
> (ignore) all but warnings and errors from cron if desired.

Yes, I could do that.


Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

On 2011-06-04 14:36, ken yap wrote:
>
> You can also put it in /etc/cron.d which is not touched in upgrades, but
> if you reinstall, you have to remember to restore it.
>
> But as I understand the code, it tests that the uid is 0. So if you try
> to run the job as another user, it blocks execution. Unless it changes
> uid after the check. Only reading the code can tell.

The syntax of /etc/crontab is different, there is a field reserved for
specifying the user. I don’t remember if /etc/cron.d is that way or not.
…] Right, the user is specified there.

/etc/cron.d/smolt:

20 1 1 * * smolt /usr/bin/smoltSendProfile -c > /dev/null 2>&1

I’ll put my entry there (on another file, of course). Thanks for the idea!

> Then again, why worry about extra entries in syslog? Logrotate will
> take care of them.

It runs 6 times per hour. Extra entries there distracts me from seeing the
strange things, those that are important.

And I keep my logs for a long time :slight_smile:


Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

On 2011-06-04 16:38, Carlos E. R. wrote:
> I’ll put my entry there (on another file, of course). Thanks for the idea!

It works. The dash is accepted, the log keeps clear, and it runs as a plain
user. :slight_smile:


Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

Well done.