Re: Windows 2003 Server & Cygwin Cron
I am running on Windows 2003 server, and set up cron_server per this note. The cron server starts just fine, but reports that it can't open tabs/theuser (where theuser is the user account name). The protection on tabs/theuser is 640 o.g is user.SYSTEM which is probably why cron server can't open it. I changed the group to administrators, which cron_server is part of, but unfortunately, a 'crontab -e' resets the group to SYSTEM. Thanks Benn From: Corinna Vinschen To: cygwin at cygwin dot com Date: Tue, 11 Nov 2003 10:02:53 +0100 Subject: Re: Windows 2003 Server & Cygwin Cron References: <[EMAIL PROTECTED]> Reply-to: cygwin at cygwin dot com On Mon, Nov 10, 2003 at 03:26:07PM -0700, Brian Cruikshank wrote: > I have tried putting > the everyone group on the Local Security policies for "Create a token > object", "Logon as service", and "Replace a process level token". The > problem still happens. URGH! Don't do this. Remove the Everyone group from these rights again. The easiest way is to follow the ssh-host-config script in creating a special account: net user cron_server /add /yes net localgroup cron_server /add editrights -a SeAssignPrimaryTokenPrivilege -u cron_server editrights -a SeCreateTokenPrivilege -u cron_server editrights -a SeIncreaseQuotaPrivilege -u cron_server editrights -a SeServiceLogonRight -u cron_server mkpasswd -l -u cron_server >> /etc/passwd For security reasons: editrights -a SeDenyInteractiveLogonRight -u cron_server editrights -a SeDenyNetworkLogonRight -u cron_server editrights -a SeDenyRemoteInteractiveLogonRight -u cron_server And then create a cron service using that account: cygrunsrv -I cron -p /usr/sbin/cron -a -D -u cron_server -w > By the way, I see reference to a cron README file that should have been in > the install. I cannot find it anywhere yet. Did it get lost in the new > releases or is it hiding somewhere other than /usr/doc? /usr/share/doc/... Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Developermailto:[EMAIL PROTECTED] Red Hat, Inc. -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
RE: Windows 2003 Server & Cygwin Cron
1. Permissions for /var/cron/tabs/ should be 640, as you have reported. 2. Ownership for this file should be user.SYSTEM, as you have reported. 3. Please try the diagnostic script attached to this message: http://sources.redhat.com/ml/cygwin/2003-11/msg01001.html > -Original Message- > From: Benn Schreiber [mailto:[EMAIL PROTECTED] > Sent: Tuesday, December 16, 2003 11:51 AM > To: [EMAIL PROTECTED] > Subject: Re: Windows 2003 Server & Cygwin Cron > > > I am running on Windows 2003 server, and set up cron_server > per this note. > The cron server starts just fine, but reports that it can't open > tabs/theuser (where theuser is the user account name). > > The protection on tabs/theuser is 640 o.g is user.SYSTEM > which is probably > why cron server can't open it. I changed the group to > administrators, which > cron_server is part of, but unfortunately, a 'crontab -e' > resets the group > to SYSTEM. > > Thanks > > Benn > > From: Corinna Vinschen > To: cygwin at cygwin dot com > Date: Tue, 11 Nov 2003 10:02:53 +0100 > Subject: Re: Windows 2003 Server & Cygwin Cron > References: <[EMAIL PROTECTED]> > Reply-to: cygwin at cygwin dot com > > On Mon, Nov 10, 2003 at 03:26:07PM -0700, Brian Cruikshank wrote: > > I have tried putting > > the everyone group on the Local Security policies for > "Create a token > > object", "Logon as service", and "Replace a process level > token". The > > problem still happens. > > URGH! Don't do this. Remove the Everyone group from these rights > again. The easiest way is to follow the ssh-host-config script in > creating a special account: > > net user cron_server /add /yes > net localgroup cron_server /add > editrights -a SeAssignPrimaryTokenPrivilege -u cron_server > editrights -a SeCreateTokenPrivilege -u cron_server > editrights -a SeIncreaseQuotaPrivilege -u cron_server > editrights -a SeServiceLogonRight -u cron_server > mkpasswd -l -u cron_server >> /etc/passwd > > For security reasons: > editrights -a SeDenyInteractiveLogonRight -u cron_server > editrights -a SeDenyNetworkLogonRight -u cron_server > editrights -a SeDenyRemoteInteractiveLogonRight -u cron_server > > And then create a cron service using that account: > cygrunsrv -I cron -p /usr/sbin/cron -a -D -u cron_server -w > > > By the way, I see reference to a cron README file that > should have been in > > the install. I cannot find it anywhere yet. Did it get > lost in the new > > releases or is it hiding somewhere other than /usr/doc? > > /usr/share/doc/... > > Corinna > > -- > Corinna Vinschen Please, send mails > regarding Cygwin to > Cygwin Developer mailto:[EMAIL PROTECTED] Red Hat, Inc. -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/ -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: Windows 2003 Server & Cygwin Cron
Quoting crontab.c from the cron-3.0.1-11 sources: /* Cygwin can't support changing the owner since that requires crontab to be a s-uid application which is not supported. As workaround we try to set group membership to be SYSTEM (== ROOT_UID) and setting permissions to 640 which should allow cron to work. */ So, Cygwin basically assumes that the user that cron runs under will be in the SYSTEM group, and tries to change the mode of the tab file so that cron can access it. Unfortunately, that's not true for the directions that Corinna gave for Win2003, since the cron_server user is not in the SYSTEM group. One solution is to assume the invariant that cron always runs as a user in the SYSTEM group, but, AFAICS, there is no way to add a user to the SYSTEM group. Another solution is to select another group and make that invariant (and add the cron_server user to it), which will require changing the cron sources. Corinna, any comments? Igor On Wed, 17 Dec 2003, Benn Schreiber wrote: > This is a follow-up to my original post. I've done some work offline with a > couple of people on this, but wanted to bring the issue, and current > findings, back to the list. > > Summary: Windows 2003 server, set up crond per Corinna's directions (posted > below). Once a user (pick a user, any user) does a 'crontab -e', crond > reports 'CANT OPEN (tabs/user)' > > At this point, the tabs/user file is owned by user.SYSTEM If I change the > ownership to user.Administrators, crond is happy and so am I because my cron > jobs run. > > So, I have a workaround (manually change the protection on the tabs/user > file to user.Administrators after a 'crontab -e'). I'm posting this in case > others run into the problem, and with the hope that a future rev of cron > will address this problem. > > Thanks > Benn > > From: "Benn Schreiber" > To: > Date: Tue, 16 Dec 2003 08:51:26 -0800 > Subject: Re: Windows 2003 Server & Cygwin Cron > > I am running on Windows 2003 server, and set up cron_server per this note. > The cron server starts just fine, but reports that it can't open > tabs/theuser (where theuser is the user account name). > > The protection on tabs/theuser is 640 o.g is user.SYSTEM which is probably > why cron server can't open it. I changed the group to administrators, which > cron_server is part of, but unfortunately, a 'crontab -e' resets the group > to SYSTEM. > > Thanks > > Benn > > From: Corinna Vinschen > To: cygwin at cygwin dot com > Date: Tue, 11 Nov 2003 10:02:53 +0100 > Subject: Re: Windows 2003 Server & Cygwin Cron > References: <[EMAIL PROTECTED]> > Reply-to: cygwin at cygwin dot com > > On Mon, Nov 10, 2003 at 03:26:07PM -0700, Brian Cruikshank wrote: > > I have tried putting > > the everyone group on the Local Security policies for "Create a token > > object", "Logon as service", and "Replace a process level token". The > > problem still happens. > > URGH! Don't do this. Remove the Everyone group from these rights > again. The easiest way is to follow the ssh-host-config script in > creating a special account: > > net user cron_server /add /yes > net localgroup cron_server /add > editrights -a SeAssignPrimaryTokenPrivilege -u cron_server > editrights -a SeCreateTokenPrivilege -u cron_server > editrights -a SeIncreaseQuotaPrivilege -u cron_server > editrights -a SeServiceLogonRight -u cron_server > mkpasswd -l -u cron_server >> /etc/passwd > > For security reasons: > editrights -a SeDenyInteractiveLogonRight -u cron_server > editrights -a SeDenyNetworkLogonRight -u cron_server > editrights -a SeDenyRemoteInteractiveLogonRight -u cron_server > > And then create a cron service using that account: > cygrunsrv -I cron -p /usr/sbin/cron -a -D -u cron_server -w > > > By the way, I see reference to a cron README file that should have been in > > the install. I cannot find it anywhere yet. Did it get lost in the new > > releases or is it hiding somewhere other than /usr/doc? > > /usr/share/doc/... > > Corinna -- http://cs.nyu.edu/~pechtcha/ |\ _,,,---,,_[EMAIL PROTECTED] ZZZzz /,`.-'`'-. ;-;;,_[EMAIL PROTECTED] |,4- ) )-,_. ,\ ( `'-' Igor Pechtchanski, Ph.D. '---''(_/--' `-'\_) fL a.k.a JaguaR-R-R-r-r-r-.-.-. Meow! "I have since come to realize that being between your mentor and his route to the bathroom is a major career booster." -- Patrick Naughton -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: Windows 2003 Server & Cygwin Cron
On Dec 17 14:43, Igor Pechtchanski wrote: > Quoting crontab.c from the cron-3.0.1-11 sources: > > /* Cygwin can't support changing the owner since that requires crontab to >be a s-uid application which is not supported. >As workaround we try to set group membership to be SYSTEM (== ROOT_UID) >and setting permissions to 640 which should allow cron to work. */ > > So, Cygwin basically assumes that the user that cron runs under will be in > the SYSTEM group, and tries to change the mode of the tab file so that > cron can access it. Unfortunately, that's not true for the directions > that Corinna gave for Win2003, since the cron_server user is not in the > SYSTEM group. One solution is to assume the invariant that cron always > runs as a user in the SYSTEM group, but, AFAICS, there is no way to add a > user to the SYSTEM group. Another solution is to select another group and > make that invariant (and add the cron_server user to it), which will > require changing the cron sources. > > Corinna, any comments? No, except that there's no SYSTEM group and using SYSTEM as a group is some sort of a Cygwin hack. Using administrators as group is actually better. Will change at one point in future. Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Developermailto:[EMAIL PROTECTED] Red Hat, Inc. -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: Windows 2003 Server & Cygwin Cron
I absolutely agree, Corinna. The correct fix is to use the administrators group. I was provided with a crontab that sets the group ownership to administrators, rather than SYSTEM, and it is fine. Benn > Quoting crontab.c from the cron-3.0.1-11 sources: > > /* Cygwin can't support changing the owner since that requires crontab to >be a s-uid application which is not supported. >As workaround we try to set group membership to be SYSTEM (== ROOT_UID) >and setting permissions to 640 which should allow cron to work. */ > > So, Cygwin basically assumes that the user that cron runs under will be in > the SYSTEM group, and tries to change the mode of the tab file so that > cron can access it. Unfortunately, that's not true for the directions > that Corinna gave for Win2003, since the cron_server user is not in the > SYSTEM group. One solution is to assume the invariant that cron always > runs as a user in the SYSTEM group, but, AFAICS, there is no way to add a > user to the SYSTEM group. Another solution is to select another group and > make that invariant (and add the cron_server user to it), which will > require changing the cron sources. > > Corinna, any comments? No, except that there's no SYSTEM group and using SYSTEM as a group is some sort of a Cygwin hack. Using administrators as group is actually better. Will change at one point in future. Corinna -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: Windows 2003 Server & Cygwin Cron
On Mon, Nov 10, 2003 at 03:26:07PM -0700, Brian Cruikshank wrote: > I have tried putting > the everyone group on the Local Security policies for "Create a token > object", "Logon as service", and "Replace a process level token". The > problem still happens. URGH! Don't do this. Remove the Everyone group from these rights again. The easiest way is to follow the ssh-host-config script in creating a special account: net user cron_server /add /yes net localgroup cron_server /add editrights -a SeAssignPrimaryTokenPrivilege -u cron_server editrights -a SeCreateTokenPrivilege -u cron_server editrights -a SeIncreaseQuotaPrivilege -u cron_server editrights -a SeServiceLogonRight -u cron_server mkpasswd -l -u cron_server >> /etc/passwd For security reasons: editrights -a SeDenyInteractiveLogonRight -u cron_server editrights -a SeDenyNetworkLogonRight -u cron_server editrights -a SeDenyRemoteInteractiveLogonRight -u cron_server And then create a cron service using that account: cygrunsrv -I cron -p /usr/sbin/cron -a -D -u cron_server -w > By the way, I see reference to a cron README file that should have been in > the install. I cannot find it anywhere yet. Did it get lost in the new > releases or is it hiding somewhere other than /usr/doc? /usr/share/doc/... Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Developermailto:[EMAIL PROTECTED] Red Hat, Inc. -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: Windows 2003 Server & Cygwin Cron
Hello Corinna Corinna Vinschen wrote: The easiest way is to follow the ssh-host-config script in creating a special account: net user cron_server /add /yes net localgroup cron_server /add editrights -a SeAssignPrimaryTokenPrivilege -u cron_server editrights -a SeCreateTokenPrivilege -u cron_server editrights -a SeIncreaseQuotaPrivilege -u cron_server editrights -a SeServiceLogonRight -u cron_server mkpasswd -l -u cron_server >> /etc/passwd For security reasons: editrights -a SeDenyInteractiveLogonRight -u cron_server editrights -a SeDenyNetworkLogonRight -u cron_server editrights -a SeDenyRemoteInteractiveLogonRight -u cron_server And then create a cron service using that account: cygrunsrv -I cron -p /usr/sbin/cron -a -D -u cron_server -w I've tried this and it doesn't work. The cron service starts and shuts down immediately with an error. In the Windows syslog i found: [...] CYGWIN crond : PID 288 : starting service `CYGWIN crond' failed: execv: 1, Operation not permitted. René -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: Windows 2003 Server & Cygwin Cron
On Tue, Nov 11, 2003 at 07:13:33PM +0100, Ren? Haber wrote: > CYGWIN crond : PID 288 : starting service `CYGWIN crond' failed: > execv: 1, Operation not permitted. Check if the new cron_server user account has execute permissions on the cron.exe executable. Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Developermailto:[EMAIL PROTECTED] Red Hat, Inc. -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: Windows 2003 Server & Cygwin Cron
I am getting some success with your suggestions. Cron is now starting and I do not get the applications errors of switching user context. Cron is staying active in my setup too. But my test crontab with date is not working. Is there a log file to see what cron is running and doing? I am trying to get the Mailto= output working, but I have not had success yet. But I have not used this feature before. Thanks for the pointer to the docs. By the way adding Everyone to the security policies was only a test. I had no intentions of leaving it. /Brian === From: Corinna Vinschen To: cygwin at cygwin dot com Date: Tue, 11 Nov 2003 19:46:17 +0100 Subject: Re: Windows 2003 Server & Cygwin Cron References: <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> Reply-to: cygwin at cygwin dot com On Tue, Nov 11, 2003 at 07:13:33PM +0100, Ren? Haber wrote: > CYGWIN crond : PID 288 : starting service `CYGWIN crond' failed: > execv: 1, Operation not permitted. Check if the new cron_server user account has execute permissions on the cron.exe executable. Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Developermailto:[EMAIL PROTECTED] Red Hat, Inc. -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: Windows 2003 Server & Cygwin Cron
I am one step closer, but things are still a little strange. I set the cron service to log in as Administrator, and it will now service the Administrator crontab. It will not run the tasks in another users crontab. This might be a usuable solution for me, but not the preferred one. I am still searching for the final answer. /Brian Re: Windows 2003 Server & Cygwin Cron From: "Brian Cruikshank" To: Date: Tue, 11 Nov 2003 13:27:33 -0700 Subject: Re: Windows 2003 Server & Cygwin Cron I am getting some success with your suggestions. Cron is now starting and I do not get the applications errors of switching user context. Cron is staying active in my setup too. But my test crontab with date is not working. Is there a log file to see what cron is running and doing? I am trying to get the Mailto= output working, but I have not had success yet. But I have not used this feature before. Thanks for the pointer to the docs. By the way adding Everyone to the security policies was only a test. I had no intentions of leaving it. /Brian === From: Corinna Vinschen To: cygwin at cygwin dot com Date: Tue, 11 Nov 2003 19:46:17 +0100 Subject: Re: Windows 2003 Server & Cygwin Cron References: <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> Reply-to: cygwin at cygwin dot com On Tue, Nov 11, 2003 at 07:13:33PM +0100, Ren? Haber wrote: > CYGWIN crond : PID 288 : starting service `CYGWIN crond' failed: > execv: 1, Operation not permitted. Check if the new cron_server user account has execute permissions on the cron.exe executable. Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Developermailto:[EMAIL PROTECTED] Red Hat, Inc. -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: Windows 2003 Server & Cygwin Cron
On Wed, 12 Nov 2003 [EMAIL PROTECTED] wrote: > I am one step closer, but things are still a little strange. > > I set the cron service to log in as Administrator, and it will now > service the Administrator crontab. It will not run the tasks in > another users crontab. > Why would you do that? Didn't Corinna specifically tell you to run it under the cron_server account she had you create? > Check if the new cron_server user account has execute permissions > on the cron.exe executable. > > Corinna > -- Brian Ford Senior Realtime Software Engineer VITAL - Visual Simulation Systems FlightSafety International Phone: 314-551-8460 Fax: 314-551-8444 -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: Windows 2003 Server & Cygwin Cron
Corinna Vinschen wrote: Check if the new cron_server user account has execute permissions on the cron.exe executable. Thanks. I had some permission Problems, not only on cron.exe, because I didn't reinstall cygwin when i reinstalled Windows. Now it works. René -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
Re: Windows 2003 Server & Cygwin Cron
On Thu, 13 Nov 2003, René Haber wrote: > Corinna Vinschen wrote: > > Check if the new cron_server user account has execute permissions > > on the cron.exe executable. > > Thanks. I had some permission Problems, not only on cron.exe, because I > didn't reinstall cygwin when i reinstalled Windows. Now it works. > > Rene There should be no need to reinstall Cygwin. "chown" is your friend. Igor -- http://cs.nyu.edu/~pechtcha/ |\ _,,,---,,_[EMAIL PROTECTED] ZZZzz /,`.-'`'-. ;-;;,_[EMAIL PROTECTED] |,4- ) )-,_. ,\ ( `'-' Igor Pechtchanski, Ph.D. '---''(_/--' `-'\_) fL a.k.a JaguaR-R-R-r-r-r-.-.-. Meow! "I have since come to realize that being between your mentor and his route to the bathroom is a major career booster." -- Patrick Naughton -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/