cron -- System Administration

Execute commands periodically
/etc/cron&

cron is a daemon that executes commands at preset times.

Once each  minute cron searches for commands to  execute.  cron first looks
for file /usr/lib/crontab. If it exists, then cron reads it for commands to
execute.   If  /usr/lib/crontab  does  not  exist, however,  cron  searches
/usr/spool/cron/crontabs  for command  files.  Each user  can have  her own
command  file in  that directory.   See the Lexicon  entry for  crontab for
information how to write and load a command file.

For each  entry in each command  file, cron compares the  current time with
the scheduled  execution time and executes the command  if the times match.
When it finishes the search, cron sleeps until the next minute.  Because it
never exits, cron should be executed only once (customarily by /etc/rc).

cron is  designed for commands  that must be  executed regularly.  Temporal
commands that  need to  be executed  only once should  be handled  with the
command at.

Permissions

cron  performs some  interesting manipulations  with permissions.   This is
necessary to allow cron to run  a wide variety of programs untended without
creating loopholes in the system's security.  Occasionally, this can create
difficulties  for users  who  do not  grasp  what cron  does  or why.   The
following describes  how cron manipulates  permissions on the  programs you
ask it to run.

To  begin,  when  cron executes  a  user's  crontab  file,  it changes  the
effective  user ID  to the  ID  of that  user whose  crontab file  is being
executed, cd's  to the user's HOME directory.  When,  however, cron runs an
entry from  a /usr/lib/crontab, it  uses the user  ID and group  ID of user
daemon. This prevents security holes involving entries in a crontable file.

For example, the following crontab entry contains redirection:

    * * * * *   echo hello world >/dev/console 2>&1

If  cron finds  this entry  in  /usr/lib/crontab, it  tries to  execute the
command as  user daemon.  The command  will not execute  it if  user daemon
lacks permission to write to /dev/console. Note that using /usr/lib/crontab
is not recommended.

If however,  it finds the entry  in user henry's crontab  file, it tries to
execute the command under the effective  user ID of henry. The command will
fail if  henry lacks permission to write to  /dev/console, and will succeed
if he does.

When the shell executes a command  in the background, it reads its standard
input from /dev/null (unless  redirected) and writes its standard output to
the controlling tty.  If  cron is invoked with /etc/cron& from /etc/rc,
there  is no  controlling tty,  so the standard  output goes  to /dev/null.
Thus,

    * * * * *   echo hello world

typically writes hello world to /dev/null.

When a user  logs in, /bin/login grabs the tty  and runs chown and chmod on
it.  It is owned by the user with default permissions 700.  If the user who
has logged in on the console types the command

    chmod /dev/console a+w

to allow all users to write to it, then the crontab entry

    * * * * *   echo hello world >/dev/console 2>/tmp/cron.err

will indeed echo to the console every minute.

cron   should   be   executed  only   once,   at   boot   time.   It   uses
/usr/lib/cron/FIFO as  a lock file  to prevent the execution  more than one
cron daemon.

If mail options  are enabled, which is the default,  cron sends mail to the
owner of a crontab about all commands in that file that failed.

To allow cron to remove lock file /usr/lib/cron, do not send signal KILL to
cron. Instead,  use signal TERM.  cron ignores signals INT,  HUP, and PIPE.
cron uses the signal ALRM internally.

Files and Directories


/usr/lib/cron/FIFO
     Lock file (named pipe).  Created by cron; removed by cron/rc.

/usr/lib/cron/cron.allow
     List of allowed users.  Permissions: 600 root root.

/usr/lib/cron/cron.deny
     List of denied users.  Permissions: 600 root root.

/usr/lib/crontab
     Global crontab file, used by previous COHERENT cron mechanism.

/usr/spool/cron
     Spool directory parent.  Permissions: 700 root root.

/usr/spool/cron/crontabs
     Main cron directory.  It holds each user's command file.  Permissions:
     700 root root.

See Also

Administering COHERENT,
commands,
crontab

Notes

cron does not presently write into  the log file.  The size of the hostname
+ domain must not exceed 1,000 characters.

cron looks for /usr/lib/crontab  to remain compatible with the COHERENT 286
version of  cron. If, however,  you continue to  keep all cron  commands in
file /usr/lib/crontab, it will not be possible to run setuid cron tasks for
logins that  have a password.  It  is strongly recommended that  you do not
use /usr/lib/crontab, and instead create individual crontab files.

© 2012 by Stephen A. Ness