Problems setting up crontab entry to shutdown Ethernet

riverhawkny · April 5, 2025, 8:08pm

Hello, I am running Xubuntu. The version is: 24.04.1.

I am trying to setup a crontab entry to shutdown the Ethernet on either system startup or reboot as follows:

@reboot sleep 30; /usr/sbin/ip link set down dev eno1

Also, I setup pam_time to run and have limited the hours root can login.

What happens is if I allow root login, the crontab entry works fine. But when I block root login (through /etc/security/time.conf) the crontab entry doesn’t work.

halogen2 · April 5, 2025, 8:58pm

Do you have the option to create/use a systemd service for this job instead of crontab? If so, does this method work with root login blocked?

riverhawkny · April 6, 2025, 2:57am

Well, I could use crontab until I upgraded the Ubuntu release. Maybe the default security was increased.

Thanks for the suggestion of a systemd service. It might be a bit too complicated for what I need, so I’ll also try some other approaches.

g-schick · April 6, 2025, 8:35am

I’m curious: does sudo work in cron jobs when root is not allowed to login? But this sounds rather ‘dirty’ to me …

Another question: why do you need / allow root login?

ogra · April 6, 2025, 11:24am

Is there any particular reason you weaken the security of your system like this by setting a root password instead of applying pam_time to sudo for scheduled admin tasks ? Adding a root password opens quite some attack vector for brute force attacks even if you put it on a schedule while you could lock down sudo the same way with pam_time without opening the system to such attacks…

riverhawkny · April 6, 2025, 9:08pm

Hello again and thanks everyone for the replies. I’ll explain what I was trying to do in more detail. I will admit I don’t know enough about system administration to understand the risks of opening root, although I felt for a personal system it might not matter.

Before I updated my Ubuntu release, I had a method of configuring access so that I wouldn’t use the Internet too much. I could also limit hours on the computer for the user.

I had one script that would get the current date and parse it, then only allow access to the Internet during certain times of the day and certain days of the week. If access was not allowed, the Ethernet and wireless interface would be put down. This was run as a crontab entry at startup and also at times when I wanted to bring the interface up.
I used pam_time to allow/disallow access to root and the user.

Using the script, crontab and pam_time was a good way for me to configure access. I also used the hosts file to limit access to sites.

Now, my problem is I can’t setup with crontab my script to police access to the Internet and the system. I think this is because of higher security policy in the new release, but I might be wrong.

If systemd is really the best solution, does anyone have a link to a simple method of setting up services?

g-schick · April 8, 2025, 6:25am

Perhaps adding the command
@reboot sleep 30; sudo /usr/sbin/ip link set down dev eno1
to crontab for one user with sudo right may work.

rubi1200 · April 8, 2025, 2:07pm

To be honest, this is not an ideal way to go about this, for two main reasons:

The command will fail silently unless either:

the user can run that sudo command without a password, which compromises security, and
cron has permission to execute that sudo command in a non-interactive environment

Using a systemd unit, coupled with a timer, is a much better and safer way to achieve this.

ogra · April 8, 2025, 2:50pm

Here is an example (untested):

[Unit]
Description=Kill eno1 on Shutdown and Reboot
DefaultDependencies=no
Before=halt.target shutdown.target reboot.target

[Service]
Type=oneshot
ExecStart=/usr/sbin/ip link set down dev eno1
RemainAfterExit=yes

[Install]
WantedBy=halt.target shutdown.target reboot.target

rubi1200 · April 8, 2025, 3:05pm

I have a tested example from my Ubuntu 24.04.2 install.

Note, this was tested on my system. We do not know your setup.

If you run into problems, please come back and we can help.

Create a systemd service unit
sudo nano /etc/systemd/system/network-down.service

Inside the file, add the following:

[Unit]
Description=Disable network interface eno1 after a delay
After=network.target

[Service]
ExecStartPre=/bin/sleep 30
ExecStart=/usr/sbin/ip link set down dev eno1

[Install]
WantedBy=multi-user.target

Ctrl+O to write, Ctrl+X to exit

Create a systemd timer unit
sudo nano /etc/systemd/system/network-down.timer

Inside this new file, add this content:

[Unit]
Description=Run network-down service after boot

[Timer]
OnBootSec=30s

[Install]
WantedBy=timers.target

Save as before.

Enable and start the timer

sudo systemctl enable network-down.timer
sudo systemctl start network-down.timer

Reboot and test.

If you want to bring the connection up manually, do like this:
sudo ip link set eno1 up

Hope this helps.

riverhawkny · April 9, 2025, 9:11pm

Thanks for the feedback and examples! I will get to work on this over the next day or two and report back by the weekend. The examples are very helpful.

riverhawkny · April 12, 2025, 1:28am

Hello again, I have returned to report back. I set up the example provided by rubi1200 and it worked perfectly! I also appreciated the example provided by ogra and want to thank everyone else too.

I am very happy. Systemd has always been a mystery to me and I was a bit intimidated. But setting up the service and timer units was very straightforward. Actually, it is kind of fun to learn something new.

Thanks again, I appreciate the help!

rubi1200 · April 12, 2025, 4:03am

Glad it all worked out

system · April 15, 2025, 4:03am

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.