Is it a security risk to run my crontab jobs as root?

I have some cron jobs that I am running - mostly backup related stuff.

I am having to backup stuck like /etc/apache2/sites/available etc, which require root access.

I have a couple of questions:

When running on a headless server:

  1. Which user is the script run under (assuming I do not specify a user in the cron job entry)?
  2. Is it ok to run the backup script as root - or does that pose a security question?

BTW, my server is running Ubuntu 10.0.4 LTS


If you have secured access to the script sufficiently and made sensible precautions, running something from roots crontab is not usually a security risk.

But don't run a script as root that a non root user can edit or overwrite. This applies to jobs run from cron as well as interactively.

If that script includes other files same applies to them too.

If in doubt always use the principle of least privilege. If you are still unsure you can always ask specific questions on forums and in IRC.


There is (nearly) always a way to run something as a non root user. If all else fails using sudo to limit a user to specific commands also limits the potential to do harm.

So with the example you gave of backing up /etc/apache2/sites-available, that file is by default readable by anyone, so that implies it is access to the destination that is writeable by root only.

You could fix that by

  • create a group called backupadmins (for example)
  • set the group on the destination directory to backupadmins
  • add a user called backupuser (for example)
  • add the user backupuser to the group backupadmins.
  • make the directory writeable by the backupadmins group
  • run the cron job from backupuser's crontab.

It depends what the scripts are doing. If they are backing stuff up then it's probably fine them being root - if a malicious user overwrites these scripts you've probably got bigger problems anyway.

If they do stupid things like executing files found in directories, or anything that could be influenced by the content of the web directories, then you probably need to look into alternatives.