Written by James McDonald

February 16, 2022

Problem: You get access denied when running a script from your user crontab but not when running it interactively

Cause: Your user is in the correct group when logged in but not for cron

Resolution: Add the user to the correct group

This is on Ubuntu 20.04 LTS

How to troubleshoot missing cron group membership

When I run groups or id as my Ubuntu user interactively I get a long list of group memberships:

uid=1000(myuser) gid=1000(myuser) groups=1000(myuser),4(adm),8(mail),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),117(netdev),118(lxd)

myuser adm mail dialout cdrom floppy sudo audio dip video plugdev netdev lxd

But when I run a crontab as user that attempts to cat at an nginx log it returns access denied

cat: /var/log/nginx/www_access.log: Permission denied

Checking the permissions of the file my user has the right group membership (adm) to read the file. So why am I getting access denied when running from the user cron?

ls -alh /var/log/nginx/www_access.log
-rw-r----- 1 www-data adm 0 Feb 16 00:00 /var/log/nginx/www_access.log

But checking the group memberships when running cron tells me I don’t have membership in the adm group

# put id command in the cron script wait for it to run and look at the output
id > /tmp/id.out
# get the output
cat /tmp/id.out
# output missing adm group membership
uid=1000(myuser) gid=1000(myuser) groups=1000(myuser),8(mail)

Clearly I don’t have the correct membership in the adm group when running cron. The fix is adding the user to the group properly:

sudo usermod -G adm myuser

Checking /etc/groups there was no entry for my user for the adm group

# before

# after running usermod



Submit a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

The reCAPTCHA verification period has expired. Please reload the page.

You May Also Like…

Meraki Open Source Licenses

Until today I assumed that Meraki was built in-house with only closed source software. But having a look at the...


If you have Veeam backup failing with the Updating BCD failed with Cannot update SafeBoot flag and SentinelOne is...