search

vbkunin / itop-docker

Combodo iTop docker image
https://hub.docker.com/r/vbkunin/itop/
MIT License
92 stars 51 forks source link

Wrong user for cron.php #24

Closed plesiosaure closed 3 years ago

plesiosaure commented 3 years ago

Hello, According to https://www.itophub.io/wiki/page?id=2_7_0%3Aadmin%3Acron, you should "not run cron.php using root user. You must launch the command with the same user that is used by the web server running iTop." (www-data)

With root : /var/log/itop-cron.log : contains Access wrong credentials ('cron') With www-data, there is no message (cron seems OK but automatic backup is not working : select * from priv_backgroundtask; returns empty set.)

/var/log/cron.log : contains :

Nov  5 09:15:01 5fcb4375b24c CRON[6232]: (www-data) CMD (/usr/bin/php /var/www/html/webservices/cron.php --param_file=/etc/itop-cron.params >> /var/log/itop-cron.log 2>&1)
Nov  5 09:15:01 5fcb4375b24c CRON[6229]: (CRON) info (No MTA installed, discarding output)

The second line (No MTA installed) is only there in the case of www-data user executing (not root) : this probably means the cron is not correctly executed with root. apt install postfix && mkfifo /var/spool/postfix/public/pickup && service postfix restart fixed this issue (and also the test email issue : no valid recipient)

Note that adding parameter --verbose=1 does not provide more info in logs

Thank you

vbkunin commented 3 years ago

Hi, Obviously I have to change the run user for the cron job according to the official manual and I'll do this a little bit later. But I don't think your problem because of that. There seems to be confusion between the system user and the app user. Developers not recommend to run cron as the root user because of security reason of a system itself on which app is hosted. But this has nothing to do with users access in the app.

When running as root, you got an access error: your user with login 'cron' has no access to the app because of wrong credentials. Make sure that the user with this login exists in the app and the password is correct (in file /etc/itop-cron.params). When running as www-data you didn't get any messages because (I suggest) www-data doesn't have the write permission on the log file (/var/log/itop-cron.log) that was created by root user during the first run. An empty output with the verbose option enabled also indicates this problem with file write permissions.

Confirm or deny this suggestion by running cron.php script from different system users without redirecting output to the log:

root@6fe8aedb4a46:/# sudo -u www-data php /var/www/html/webservices/cron.php --auth_user=admin --auth_pwd=123456 --verbose=1
plesiosaure commented 3 years ago

You are perfectly right. I just made a confusion between iTop user account and Linux user account. It's clearly said in your Readme but not in the app documentation. Thanks.