Friday, March 9, 2012 - 08:33
Written by

Thanks to successful Make It Happen on consolidated cron jobs, we can set just one cron job per site.

As described in the docs, you can set this cron job using either an "URL" method or a "CLI" method.

The URL method uses wget or curl to mimic a web page request as if it was made anonymously over the Internet. With this method, we certainly want to require a password to avoid having anonymous users hitting your cron job (which could be a vector for a denial of service attack). And, CiviCRM rightly requires this password, refusing to run if it is missing or incorrect.

However, why are we requiring a password when using the cli method?

If you have command line access to a CiviCRM install and you have read-access to the civicrm.settings.php file, you already have full access to the database.

If we require users type a password when they run their cli commands, it will in fact reduce security because:

  • It encourages users to put plain-text passwords in their cron jobs
  • For users who run the cli commands manually, it encourages them to use short or easy to remember passwords to make it more convenient
  • Passwords provided directly on the command line are leaked to any other user on the system who can run ps to see running commands

There is a need to specify what user a cron job should be run as - however, the current cli.php implementation could provide for the ability to specify a user without a password.

What do others think? Am I missing anything? As a security issue, it's best to be safe!

Filed under


I've opened a complimentary issue.

I've wondered the same thing myself.  Requiring the password on the command-line is a security minus rather than a security plus.  As you've said, if you have access to the config file then you have database access...

That's a no brainer, asking the password (on the cli) doesn't increase security, quite the contrary.

What ssh and phplist do is to have a whitelist of users that are allowed to run the cron. Not sure it adds anything but (sshd_config) you have:

AllowUsers bob cronjob whatever and if you want to run it as jammie it will block. I'm assuming the rationale would be that I can't create activities or what else as dlobo or dgg, only as the "technical" cronjob user(s) listed there

Don't have any opinion about it, beside yes, get rid of the mandatory password on the cli


It would be great to get that added. I'd also really like it if it could get triggered directly from Drupal's cron system, as it seems weird that I need to be running 2 separate updaters for the same site.