Today I learned: root’s cron (including stuff like logrotate) doesn’t run if root’s password is expired

… which can be hard to spot, since in most places you never use root’s password anywhere (you “sudo su” to root using your user‘s password).

Today’s story:

  1. server has a logfile of several GB;
  2. head logfile shows it hasn’t been rotated in more than a year;
  3. running logrotate /etc/logrotate.conf manually works;
  4. /var/log/cron includes entries like:

Mar 22 14:10:01 xxxxxxxx crond[26561]: (root) PAM ERROR (Authentication token is no longer valid; new one required)
Mar 22 14:10:01 xxxxxxxx crond[26561]: (root) FAILED to authorize user with PAM (Authentication token is no longer valid; new one required)

  1. chage -l root shows that its password has expired…

Now, why did root have password expiration enabled? It’s a mystery šŸ™‚ — probably someone ran a script configuring password expiration for all users and forgot to add some exceptions to it, root among them. Anyway,

chage -E -1 -M -1 root ; passwd root

solved the problem. Hope this is useful. šŸ™‚

Today I Learned: Unix / Linux groups can have passwords

(Welcome to a new section on Zurgl:Ā Today I Learned. As the name suggests, it’s for sharing Linux-related things I’ve just learned, even though I’ve been using Linux for over 20 years. Some of them may well be pretty basic (just like the following one) and even well-known; still, the “fun” part is that I’ve been able to work as a Linux sysadmin for two decadesĀ and administer several personal serversĀ and use it as a desktop from time to time, and still hadn’t had a need for this until now.)

Did you know groups (not users) can have passwords, too? By default they don’t, but theĀ groupadd command has a “-p” option (that requires an already encrypted password, so you’d need to encrypt it first and pipe it there). There’s also aĀ gpasswd command. And, yes, anĀ /etc/gshadow file.

Supposedly, the purpose of group passwords is for users to be able to join a password-protected group with theĀ newgrp command, as long as they enter the group password correctly. If the group doesn’t have a password, then only someone with root access can add a user to it.

(newgrp also allows a user to change their own primary group for the duration of a session, as long as it’s one of their supplementary groups.)