This is the mail archive of the
cygwin@cygwin.com
mailing list for the Cygwin project.
Re: Windows 2003 Server & Cygwin Cron
- From: Igor Pechtchanski <pechtcha at cs dot nyu dot edu>
- To: Benn Schreiber <bls at starwhite dot net>
- Cc: cygwin at cygwin dot com
- Date: Wed, 17 Dec 2003 14:43:55 -0500 (EST)
- Subject: Re: Windows 2003 Server & Cygwin Cron
- References: <200312171927.hBHJRXTp031215@xunil.starwhite.net>
- Reply-to: cygwin at cygwin dot com
Quoting crontab.c from the cron-3.0.1-11 sources:
/* Cygwin can't support changing the owner since that requires crontab to
be a s-uid application which is not supported.
As workaround we try to set group membership to be SYSTEM (== ROOT_UID)
and setting permissions to 640 which should allow cron to work. */
So, Cygwin basically assumes that the user that cron runs under will be in
the SYSTEM group, and tries to change the mode of the tab file so that
cron can access it. Unfortunately, that's not true for the directions
that Corinna gave for Win2003, since the cron_server user is not in the
SYSTEM group. One solution is to assume the invariant that cron always
runs as a user in the SYSTEM group, but, AFAICS, there is no way to add a
user to the SYSTEM group. Another solution is to select another group and
make that invariant (and add the cron_server user to it), which will
require changing the cron sources.
Corinna, any comments?
Igor
On Wed, 17 Dec 2003, Benn Schreiber wrote:
> This is a follow-up to my original post. I've done some work offline with a
> couple of people on this, but wanted to bring the issue, and current
> findings, back to the list.
>
> Summary: Windows 2003 server, set up crond per Corinna's directions (posted
> below). Once a user (pick a user, any user) does a 'crontab -e', crond
> reports 'CANT OPEN (tabs/user)'
>
> At this point, the tabs/user file is owned by user.SYSTEM If I change the
> ownership to user.Administrators, crond is happy and so am I because my cron
> jobs run.
>
> So, I have a workaround (manually change the protection on the tabs/user
> file to user.Administrators after a 'crontab -e'). I'm posting this in case
> others run into the problem, and with the hope that a future rev of cron
> will address this problem.
>
> Thanks
> Benn
>
> From: "Benn Schreiber" <bls at starwhite dot net>
> To: <cygwin at cygwin dot com>
> Date: Tue, 16 Dec 2003 08:51:26 -0800
> Subject: Re: Windows 2003 Server & Cygwin Cron
>
> I am running on Windows 2003 server, and set up cron_server per this note.
> The cron server starts just fine, but reports that it can't open
> tabs/theuser (where theuser is the user account name).
>
> The protection on tabs/theuser is 640 o.g is user.SYSTEM which is probably
> why cron server can't open it. I changed the group to administrators, which
> cron_server is part of, but unfortunately, a 'crontab -e' resets the group
> to SYSTEM.
>
> Thanks
>
> Benn
>
> From: Corinna Vinschen <corinna-cygwin at cygwin dot com>
> To: cygwin at cygwin dot com
> Date: Tue, 11 Nov 2003 10:02:53 +0100
> Subject: Re: Windows 2003 Server & Cygwin Cron
> References: <NPEOLGGPKHICABBIJEIBCELECCAA.brian@cruik.org>
> Reply-to: cygwin at cygwin dot com
> ________________________________________
> On Mon, Nov 10, 2003 at 03:26:07PM -0700, Brian Cruikshank wrote:
> > I have tried putting
> > the everyone group on the Local Security policies for "Create a token
> > object", "Logon as service", and "Replace a process level token". The
> > problem still happens.
>
> URGH! Don't do this. Remove the Everyone group from these rights
> again. The easiest way is to follow the ssh-host-config script in
> creating a special account:
>
> net user cron_server <passwd> /add /yes
> net localgroup <administrators_group_name> cron_server /add
> editrights -a SeAssignPrimaryTokenPrivilege -u cron_server
> editrights -a SeCreateTokenPrivilege -u cron_server
> editrights -a SeIncreaseQuotaPrivilege -u cron_server
> editrights -a SeServiceLogonRight -u cron_server
> mkpasswd -l -u cron_server >> /etc/passwd
>
> For security reasons:
> editrights -a SeDenyInteractiveLogonRight -u cron_server
> editrights -a SeDenyNetworkLogonRight -u cron_server
> editrights -a SeDenyRemoteInteractiveLogonRight -u cron_server
>
> And then create a cron service using that account:
> cygrunsrv -I cron -p /usr/sbin/cron -a -D -u cron_server -w <passwd>
>
> > By the way, I see reference to a cron README file that should have been in
> > the install. I cannot find it anywhere yet. Did it get lost in the new
> > releases or is it hiding somewhere other than /usr/doc?
>
> /usr/share/doc/...
>
> Corinna
--
http://cs.nyu.edu/~pechtcha/
|\ _,,,---,,_ pechtcha@cs.nyu.edu
ZZZzz /,`.-'`' -. ;-;;,_ igor@watson.ibm.com
|,4- ) )-,_. ,\ ( `'-' Igor Pechtchanski, Ph.D.
'---''(_/--' `-'\_) fL a.k.a JaguaR-R-R-r-r-r-.-.-. Meow!
"I have since come to realize that being between your mentor and his route
to the bathroom is a major career booster." -- Patrick Naughton
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/