crontab -e on gentoo failing: "chown: Operation not permitted"

Question

I can't run crontab -e as a regular user on a gentoo box I've got. Here's a transcript:

ben@tools ~ $ crontab -e
    # (I add something trivial, like a new line containing "#foo")
crontab: installing new crontab
chown: Operation not permitted
crontab: edits left in /tmp/crontab.XXXXULPy6M
ben@tools ~ $

I have another gentoo machine on which it works fine.

I've checked permissions on all these things, and they all look both sensible and identical to the machine where it works:

tools ~ # ls -AFlh /usr/bin/crontab 
-rwxr-s--x 1 root crontab 29K Oct 22 16:16 /usr/bin/crontab*
tools ~ # ls -AFlhd /tmp
drwxrwxrwt 17 root root 3.2K Oct 22 16:34 /tmp/
tools ~ # ls -AFlhd /var/spool/cron
drwxr-xr-x 4 cron root 4.0K Oct 22 16:07 /var/spool/cron/
tools ~ # ls -AFlhd /var/spool/cron/crontabs
drwx-wx--T 2 root crontab 4.0K Oct 22 16:16 /var/spool/cron/crontabs/

I am a member of the groups cron and crontab:

ben@tools ~ $ groups ben
cron crontab sysops

there is no /etc/cron.allow, and /etc/cron.deny is blank apart from comment lines.

I've tried updating the vixie-cron package, by doing:

emerge --sync
emerge -v vixie-cron # reinstall the current version, in case something is wrong
# add "sys-process/vixie-cron ~x86" to /etc/portage/package.keywords
emerge -v =vixie-cron-4.1-r11

No good.

I've tried running strace against it (both as myself with strace -Ff crontab -e and as root by running crontab -e as myself and then strace -FF -p foo as root), but I can't see anything more useful than the error message I've already got:

chown32("crontabs/tmp.XXXXI5Oi61", 0, -1) = -1 EPERM (Operation not permitted)
write(2, "chown: Operation not permitted\n", 31) = 31
close(4)                                = 0

I have of course googled for it, and every google result has talked about checking permissions on the same files/folders I've checked above.

Help! I'm out of ideas.

Ben

score 1 · Accepted Answer · answered Nov 15 '10 at 11:52

1

Why "drwx-wx--T 2 root crontab 4.0K Oct 22 16:16 /var/spool/cron/crontabs/" this does not have a read permission for the groups?

Either assign the read permission for this crontabs/ directory. I guess the crontab is run as ben:crontab and crontab/ does not have permission for any groups to read from crontabs/

or try 'chmod 4755 /usr/bin/crontab'. With this crontab should be run as root:crontab and crontabs/ has read/write access to root.

answered Nov 15 '10 at 11:52

kalyan

195
2
7

chmod 4755 /usr/bin/crontab worked. Previous permissions were "-rwxr-s--x", new are "-rwsr-xr-x". – Ben Williams Nov 16 '10 at 05:28
chmod g+r /var/spool/cron/crontabs had no effect, btw. – Ben Williams Nov 16 '10 at 05:36

score 0 · Answer 2 · answered Oct 22 '10 at 06:28

0

Maybe the crontab rights are changed. On my Ubuntu , it is :

-rwxr-sr-x 1 root crontab 35896 24-08-2010 22:45:58 /usr/bin/crontab

Check the g+s ?

answered Oct 22 '10 at 06:28

Dom

6,743
1
20
24

My /usr/bin/crontab has g+s (I ls that file above). – Ben Williams Oct 22 '10 at 08:11
Your filesysteme is not full or read-only ? – Dom Oct 22 '10 at 13:56
Or check if a filesystem is mounted with nosuid option. After check 'lsattr /usr/bin/crontab'. Mine is '-----------------e- /usr/bin/crontab' – Dom Oct 22 '10 at 15:44
@Dom: Filesystems (both / and /tmp) were not full. When I get to work on Monday I'll do the relevant lsattrs. – Ben Williams Oct 23 '10 at 08:31
root@tools ~ # lsattr -d /tmp lsattr: Inappropriate ioctl for device While reading flags on /tmp root@tools ~ # mount | grep /tmp none on /tmp type tmpfs (size=16m,mode=1777) root@tools ~ # lsattr -d /var/spool/cron -------------- /var/spool/cron root@tools ~ # lsattr -d /var/spool/cron/crontabs -------------- /var/spool/cron/crontabs root@tools ~ # lsattr /usr/bin/crontab -------------- /usr/bin/crontab – Ben Williams Oct 24 '10 at 21:56
Sorry, I can't format that comment, so it's pretty unclear :( It's basically command-response, starting command again with "root@tools", if that helps. – Ben Williams Oct 24 '10 at 21:57
Could you check mount on /usr/bin ? It shouldn't have the nosuid option – Dom Oct 25 '10 at 16:10
(commands seperated by " --- "): root@tools ~ # mount /dev/hdv1 on / type ufs (defaults) none on /proc type proc (defaults) none on /tmp type tmpfs (size=16m,mode=1777) none on /dev/pts type devpts (gid=5,mode=620) --- root@tools ~ # l -d /usr/bin drwxr-xr-x 2 root root 36K Oct 26 08:37 /usr/bin/ – Ben Williams Oct 25 '10 at 22:13
Check with cat /proc/mounts, you will not see 'default', but the list of parameters. I don't know default values for UFS, I don't use it. – Dom Oct 26 '10 at 06:43
I've realised this may be a tiny bit more complicated that I initially thought - the `tools` machine where `crontab -e` isn't working, is actually a vserver. In any case, this is /proc/mounts: ben@tools ~ $ cat /proc/mounts rootfs / rootfs rw 0 0 /dev/root / ext3 rw,noatime,data=ordered 0 0 none /proc proc rw,nodiratime,nodev 0 0 none /tmp tmpfs rw,nodev 0 0 none /dev/pts devpts rw 0 0 – Ben Williams Oct 28 '10 at 21:50
Sorry that took so long to reply - and thanks for your help so far Dom :) – Ben Williams Oct 28 '10 at 21:53

crontab -e on gentoo failing: "chown: Operation not permitted"

2 Answers2