Problem: You get access denied when running a script from your user crontab but not when running it interactively
Cause: Your user is in the correct group when logged in but not for cron
Resolution: Add the user to the correct group
This is on Ubuntu 20.04 LTS
How to troubleshoot missing cron group membership
When I run groups
or id
as my Ubuntu user interactively I get a long list of group memberships:
1 2 3 4 5 6 7 | id #output uid=1000(myuser) gid=1000(myuser) groups =1000(myuser),4(adm),8(mail),20(dialout),24(cdrom),25(floppy),27( sudo ),29(audio),30(dip),44(video),46(plugdev),117(netdev),118(lxd) groups #output myuser adm mail dialout cdrom floppy sudo audio dip video plugdev netdev lxd |
But when I run a crontab
as user that attempts to cat
at an nginx log it returns access denied
1 | cat: /var/log/nginx/www_access.log: Permission denied |
Checking the permissions of the file my user has the right group membership (adm) to read the file. So why am I getting access denied when running from the user cron?
1 2 | ls -alh /var/log/nginx/www_access .log -rw-r----- 1 www-data adm 0 Feb 16 00:00 /var/log/nginx/www_access .log |
But checking the group memberships when running cron tells me I don't have membership in the adm
group
1 2 3 4 5 6 | # put id command in the cron script wait for it to run and look at the output id > /tmp/id.out # get the output cat /tmp/id.out # output missing adm group membership uid=1000(myuser) gid=1000(myuser) groups=1000(myuser),8(mail) |
Clearly I don't have the correct membership in the adm
group when running cron. The fix is adding the user to the group properly:
1 | sudo usermod -a -G adm myuser |
Checking /etc/groups there was no entry for my user for the adm
group
1 2 3 4 5 | # before adm:x:4:syslog # after running usermod adm:x:4:syslog,myuser |
Fixed!!!
0 Comments