User crontab missing supplementary groups

Written by James McDonald

February 16, 2022

Problem: You get access denied when running a script from your user crontab but not when running it interactively

Cause: Your user is in the correct group when logged in but not for cron

Resolution: Add the user to the correct group

This is on Ubuntu 20.04 LTS

How to troubleshoot missing cron group membership

When I run groups or id as my Ubuntu user interactively I get a long list of group memberships:

id
#output
uid=1000(myuser) gid=1000(myuser) groups=1000(myuser),4(adm),8(mail),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),117(netdev),118(lxd)

groups
#output
myuser adm mail dialout cdrom floppy sudo audio dip video plugdev netdev lxd

But when I run a crontab as user that attempts to cat at an nginx log it returns access denied

cat: /var/log/nginx/www_access.log: Permission denied

Checking the permissions of the file my user has the right group membership (adm) to read the file. So why am I getting access denied when running from the user cron?

ls -alh /var/log/nginx/www_access.log
-rw-r----- 1 www-data adm 0 Feb 16 00:00 /var/log/nginx/www_access.log

But checking the group memberships when running cron tells me I don’t have membership in the adm group

# put id command in the cron script wait for it to run and look at the output
id > /tmp/id.out
# get the output
cat /tmp/id.out
# output missing adm group membership
uid=1000(myuser) gid=1000(myuser) groups=1000(myuser),8(mail)

Clearly I don’t have the correct membership in the adm group when running cron. The fix is adding the user to the group properly:

sudo usermod -G adm myuser

Checking /etc/groups there was no entry for my user for the adm group

# before
adm:x:4:syslog

# after running usermod
adm:x:4:syslog,myuser


Fixed!!!

0 Comments

Submit a Comment

Your email address will not be published.

You May Also Like…

List your VSCode Extensions

Ever wondered what extensions you have installed and want to keep a list? This actually is a good way to audit your...

array_merge vs the + operator

<?php $options = [ 'rootNode' => 'response' ]; // array_merge // the same key appearing later will overwrite echo...