[OpenIndiana-discuss] Cron best practice

Robbie Crash sardonic.smiles at gmail.com
Mon May 14 20:26:16 UTC 2012 

Agreed, the best practices on Windows boxes should be the same as the best
practices on NIX systems. A service account with rights to do its one job,
and as little else as possible. Accounts for services should be created the
same way that user accuonts are. Make them able to do the least amount of
damage either via malice or stupidity. Giving a script that's sitting in a
public or semi-public directory root access is bad news bears.

Give the account as little freedom as you can without impacting its ability
to do the job. Specialized accounts complicate user management, but
simplify systems maintenance. It's a lot easier to disable the user
"SVC_CopyAllBobsFilesToDonnysDirectoryAndThenDoXYZ" in one command than it
is to hunt down all the places and potential crontabs that those scripts
could be residing in/called from.

The thing I'm unsure of is if it's best practice to get cron to perform the
task, or if it's better to get cron to call a script.

On Mon, May 14, 2012 at 3:48 PM, Jan Owoc <jsowoc at gmail.com> wrote:

> On Mon, May 14, 2012 at 1:42 PM, Mark Creamer <whitetr6 at gmail.com> wrote:
> > I'm looking for a bit of best practice advice. On Windows systems I
> > usually create a job runner account with the correct permissions to
> > run batch scripts when they need to be scheduled, so the jobs aren't
> > tied to specific users whose passwords will change.
> >
> > So in OI, I have a similar need, to run a job nightly that will pull
> > data from a neighboring server using a scp command run in a cron job.
> > My thought is to create a user account and set up passwordless scp to
> > facilitate scripting the scp task. Would it then be best to run the
> > job in root's cron? Or from the shell of the user running the scp?
>
> I would imagine that you should be running any script with the minimum
> permissions needed for it to function. If all you need to do is copy
> files from a remote server to the local filesystem, you should be able
> to do that with a regular user account.
>
> I would only run such a script as the root if I anticipate problems
> with permissions (eg. other users making conflicting changes to the
> target folder and I need to overwrite them).
>
>
> On Mon, May 14, 2012 at 1:46 PM, Bryan Iotti <ironsides.medvet at gmail.com>
> wrote:
> > Very good question, curious myself
> >
> > Could it be run as user "nobody"?
>
> The user could be called "mybackup" with the shell set to
> "/bin/false", if you want to prevent logon as that user.
>
>
> Jan
>
> _______________________________________________
> OpenIndiana-discuss mailing list
> OpenIndiana-discuss at openindiana.org
> http://openindiana.org/mailman/listinfo/openindiana-discuss
>



-- 
Seconds to the drop, but it seems like hours.

http://www.eff.org/
<http://www.eff.org/>http://creativecommons.org/

More information about the OpenIndiana-discuss mailing list