1

I'm trying to move away from running cron-scheduled jobs with root, so the thought process is to create a system account with no login (/dev/null home, /sbin/nologin shell) to run each cron job we need ran. I'm just curious how to give these accounts the proper permission to run where they need to be without changing the ownership of normal files and folders that are typically restricted to root.

For instance, say I want this system account to output log files of what it's doing to /var/log, However, /var/log/ is owned by root, and is set to 755. This process won't be able to create log files there without running as root, correct?

Am I correct in assuming using Linux Kernel Capabilities is the best way to do this?

Patrick
  • 599
  • For the log file example you need to set permissions on /var/log (see sticky bit). Though you could set up different directories for each user. In general this may be of some help http://unix.stackexchange.com/questions/101263/what-are-the-different-ways-to-set-file-permissions-etc-on-gnu-linux – ctrl-alt-delor Jan 17 '17 at 18:28

1 Answers1

1

One way You can achieve that is to put the logs inside a sub-folder under /var/log and then set the permission for the sub-folders.

Another why is to log into syslog with logger and use a filter to redirect the logs to a specific file.

e.g

# /etc/rsyslog.d/10-myrules.conf
if $programname == ["script1", "script2"]
then { 
    action(type="omfile" file="/var/log/myscripts/sys.log")
    stop
}

And you probably should also set a logrotate rule while you at it.

Rabin
  • 3,883
  • 1
  • 22
  • 23