Running a script with elevated permissions as a CRON job

I have a script that is designed to crawl a website (a Piwigo photo gallery), forcing the gallery to generate thumbnails when the site is crawled, instead of the first time the user visits that photo. The script has worked in older setups, and I did some work to get it working under TrueNAS SCALE and with my new Piwigo Docker app.

So far, so good… sort of. The script works when I run it as my non-root login (“geoffrey”), but only when I use sudo to run the script. It fails otherwise.

Ideally, I’d like to run the script as a CRON job, so that once a week any new photos added to the gallery get “touched” and thumbails generated. I tried to schedule a CRON job, but it seems to fail when I run it - I get the following alert email:

TrueNAS TrueNAS.aiskon.net: CronTask Run

sudo: process 81214 unexpected status 0x57f
Killed

More info about the script, and how I got it working, is available here:

https://piwigo.org/forum/viewtopic.php?pid=191132

Any advice on how to adjust this, so I can run it as a CRON job?

Thank you!

For simplicity’s sake, here is the script:

# Make a login in Piwigo named "cron" and set a strong password, chage the text REDACTED (one instance on Line 9) in this script to the password
#
# Nightly CRON job (run as apps): 1 0 * * * /mnt/data/apps/piwigo/scripts/piwigo-thumb-generate.sh

set -e

cd /mnt/data/apps/piwigo/scripts

wget --keep-session-cookies --save-cookies cookies.txt --delete-after --post-data="username=cron&password=REDACTED" "http://photos.aiskon.net/ws.php?format=json&method=pwg.session.login"

wget --load-cookies cookies.txt -nv -O missing.json "http://photos.aiskon.net/ws.php?format=json&method=pwg.getMissingDerivatives"

while [ `wc -c missing.json | awk '{print $1}'` -gt 50 ]
do
  sed -e 's/[\\\"]//g' \
  -e 's/{stat:ok,result:{next_page:[0-9]*,urls:\[//' \
  -e 's/{stat:ok,result:{urls:\[//' \
  -e 's/\]}}/\n/' \
  -e 's/,/\n/g' \
  -e 's/\&b=[0-9]*//g' missing.json | \
  while read line ; do
    wget -nv -O /dev/null $line
  done
  wget --load-cookies cookies.txt -nv -O missing.json "http://photos.aiskon.net/ws.php?format=json&method=pwg.getMissingDerivatives"
done

rm cookies.txt
rm missing.json

Script is set to chmod 770, owned by the user Apps (568). The “geoffrey” account is a member of the group Apps. I can’t run it without an elevated session, but I can if I use sudo.

su -m geoffrey ... possibly?

REFERENCE:

What version of TrueNAS are you using?

su -m geoffrey ... possibly?

Email result is: ‘Password: su: Authentication failure’

What version of TrueNAS are you using?

Shoulda posted that, sorry. TrueNAS Scale 24.10.1, Electric Eel

OK, I think I may have it figured out. I’d tried running it as the user Apps earlier, and I thought it failed, but I just tried again and it hasn’t given me an error yet… it seems to be working.

Once again, asking online suddenly solves the issue.

Glad you seemed to have gotten it resolved. However, my question was to use the ‘m’ flag for the ‘su’ command (as I demonstrated in the reference link I provided), NOT to run that command! Please do not run a command without understanding it first, and I will most certainly try to be more descriptive next time in my responses so that doesn’t happen again.

I am running into the same issue, but different script.

I am running my script as root. When I su - to root, I don’t get any errors. When I su -m root, I receive a zsh error about insecure directories in my standard user’s home profile.

When you run scripts from cron, you typically do that as root to preform multiple operations–like stop services and run a script and restart a service-. To drop privileges (from root to another user) you traditionally use the su -m <USER> method (as I demonstrate in my “plexdata backup method” writeup). So, when you said you: su -m root, it makes no sense.

Now, Linux and BSD are different. BSD is easier/cleaner in this respect (Linux has the su command, but they may have changed the usage to something else–Linux likes to change things–) but I believe Linux has a runuser command so you may be able to swap my use of su with runuser and get the same effect but you will have to read up on that tool and run the test.

That was just me testing from the CLI, not running su -m root from within the script itself.

However, I think the issue was the script was developed on a windows system and the unicode was not correct and and had to be converted to linux.

I also fixed the issues with compaudit and the script is now running properly.

I’m confused. So, you are NOT having an issue?

1 Like

I was, but issued has been solved.

Makes perfect sense.

To any future users reading this thread: I hope anything I’ve said can help you.

I am getting the same error with a cron job after upgrading to TrueNAS scale 24.10. The job worked without any issues before the upgrade and still runs fine from command line with sudo, but when run as a cron job I only get the error sudo: process 7517 unexpected status 0x57f

Ah, found the problem. The shell script I used to start the job was missing shebang :man_facepalming: After adding it everything works fine in 24.10 too.