SSH and exec() users differ

Question

I have a Lightsail instance in AWS, and it's a LAMP stack. Previously, I (or bitnami, not sure) created a cron for SSL. It looks something like this:

0 0 * * * sudo /opt/bitnami/letsencrypt/lego --path /o...

If I connect via SSH and run crontab -l, I get the following output (the second cron is for test purposes):

0 0 * * * sudo /opt/bitnami/letsencrypt/lego --path /o...

* * * * * sudo /usr/bin/touch /opt/bitnami/apache2/htdocs/.htaccess

Now, I'm thinking about adding more cron jobs that are related to the app. Adding cron jobs manually (via SSH) is tedious. I want to be able to do this in the UI. I'm saying this because I've seen this done (e.g. in DirectAdmin, Plesk Panel, WHMCS, etc.)

So I started searching for ways to view/edit/delete cron jobs in the PHP. The idea seems simple. Get the current cron jobs (crontabs -l), parse and modify them, and load it back (crontabs file). So I tried to get the current cron jobs (in a PHP file, from the browser), but failed:

exec("crontab -l", $crons);
exec("crontab -u bitnami -l", $crons_bitnami);

exec("sudo crontab -l", $sudo_crons);
exec("sudo crontab -u bitnami -l", $sudo_crons_bitnami);

var_dump(exec("whoami")); // daemon
var_dump(shell_exec("crontab -l")); // NULL

var_dump($crons);         // array(0) { }
var_dump($crons_bitnami); // array(0) { }

var_dump($sudo_crons);         // array(0) { }
var_dump($sudo_crons_bitnami); // array(0) { }

I get empty results. I get the two cron jobs that I added if I run crontabs -l in the SSH, but this doesn't work in the PHP. So I checked the users. If I type whoami in SSH, I get bitnami. In PHP, it returns daemon. I searched more and figured out that each user has its own cron jobs. In SSH, I'm the user bitnami and it has two cron jobs. Why am I daemon in PHP? Is that the reason I'm getting an empty result? If so, can/how do I change it?

I tested the same code on other servers, and I seem to get correct results. The user is not daemon and I can see the cron jobs. So this might be Lightsail/bitnami related. Nevertheless, is there anything that I can do to fix it?

Did you try using the full path to crontab e.g. (`/usr/bin/crontab -u bitnami -l`). This has tripped me up in the past . Check where crontab located with `which crontab`. — Jamie_D, Dec 07 '20 at 12:34
@Jamie_D Nope, I did not. But I tested it just now, and it didn't work. I've seen similar warnings/suggestion (using full path), but didn't think it'd help. I wish it was that simple :) — akinuri, Dec 07 '20 at 12:40
You should check that exec function is not disabled in your php.ini file: [See this post](https://stackoverflow.com/questions/24999673/how-to-enable-shell-exec-and-exec-on-php) — Jamie_D, Dec 07 '20 at 12:48
@AbraCadaver `var_dump(exec("whoami"))`. It's in the example. — akinuri, Dec 07 '20 at 12:53
From the command line logged in SSH or that is in a page you access with a browser? That's what I meant by specific. — AbraCadaver, Dec 07 '20 at 12:54
I ran the `var_dump(exec("whoami"))` in a page (on the browser). — akinuri, Dec 07 '20 at 12:59
Now that you mention it, I tried to run it in SSH, that is `php -a`, and then `var_dump(exec("whoami"));`. It returned `bitnami`, which is correct. Weird? — akinuri, Dec 07 '20 at 13:02
I was going to suggest that. The crontab in your browser is not the same as the one you run under SSH (hence the NULL crontab). The way around this would be to change the user in you PHP file (never tried this), or to enter the cron jobs under the daemon user — Jamie_D, Dec 07 '20 at 13:04
I'm not really familiar with Linux, so all I could come up with to look for inconsistencies (maybe related to `daemon`). I've found this. `htdocs` folder's owner and group differs, and it includes `daemon`. Could that be related to the problem? [FileZilla screenshot](https://i.imgur.com/SNckhWe.png) — akinuri, Dec 07 '20 at 13:16
The webserveer process runs as `daemon`. Virtually all webservers will run as some limited user such as as `nobody` `www-data` or something else. most likely `daemon` will need sudo access to crontab as `bitnami`. — AbraCadaver, Dec 07 '20 at 13:35
I tried to add a cron job in PHP file and see the result in SSH (`sudo crontab -u daemon -l`), but then I got `The user daemon cannot use this program (crontab)`. Next, I checked `/etc/cron.deny` and `daemon` was listed there... This is really frustrating. Am I not allowed to control crontab from PHP? :\ — akinuri, Dec 07 '20 at 14:14
I decided to remove `daemon` from `/etc/cron.deny`. I still can't add cron in the PHP file. I can add cron in SSH using `sudo crontab -u daemon -e`, but the cron doesn't work/tick. Also, now I can view the crons in the PHP file using only `crontab -l` or `crontab -u daemon -l`. Any other combination doesn't work. Since I can't add and the cron doesn't work, viewing doesn't matter... This sucks. I guess I'm going to have to contact AWS and/or bitnami. — akinuri, Dec 07 '20 at 15:49
Bitnami Engineer here. I just removed the daemon user from the `/etc/cron.deny` file as you mentioned and manually added a new entry in the cron file for daemon `* * * * * date >> /tmp/date.txt`. After waiting one minute, I confirmed that the date.txt file was created and it included the date command output information. Please note that the daemon user has no home folder or shell configured by default (`/etc/passwd`) and that can be the issue you are running into when running commands. — Jota Martos, Dec 09 '20 at 12:04
@JotaMartos Thanks for the reply. Your example worked. I'd done my test with `touch` and it didn't work. I guess it was because the file it tried to touch belonged to `bitnami`, not to `daemon`. Permission issues :\ I tried to modify a text file (counter.txt) using cron, but then again, file is created by/belongs to `bitnami`; `daemon` can't access it. What do I do? Change permission/ownership? Everytime? I tried to change the PHP user by changing `daemon` to `bitnami` in `/opt/bitnami/php/etc/php-fpm.d/www.conf.default`, but didn't work. Why? There should be a documentation for this... — akinuri, Dec 09 '20 at 13:14
Apache and PHP-FPM work using the daemon user due to security reasons. If you are editing one file of your application, you need to ensure that file can be written by the daemon user/group. `sudo chown bitnami:daemon -R /path/to/your/app/directory; sudo chmod g+w -R /path/to/your/app/directory`. Regarding the documentation, we have [a guide](https://docs.bitnami.com/aws/infrastructure/lamp/administration/create-custom-application-php/) that explains how to deploy a custom PHP app on top of LAMP and how to configure the permissions. — Jota Martos, Dec 10 '20 at 15:19

SSH and exec() users differ

0 Answers0