What do these "Cron Daemon" email errors mean?

Question

Anyone know what this means? Getting one of these every minute in one user's inbox:

From: Cron Daemon <joe@mail.domain.com>
Subject: Cron <joe@mail> /tmp/.d/update >/dev/null 2>&1
To: joe@mail.domain.com
Received: from murder ([unix socket]) by mail.domain.com (Cyrus v2.2.12-OS X 10.3) with LMTPA; Tue, 04 May 2010 10:35:00 -0700

shell-init: could not get current directory: getcwd: cannot access parent directories: Permission denied
job-working-directory: could not get current directory: getcwd: cannot access parent directories: Permission denied

Note: this user's password was changed with Workgroup Manager just prior to these errors starting. We had to change the password because user what having trouble logging into their account. Now user can log in and send/receive mail...but we get these Cron Daemon emails every minute?!?

Note2: Contents of /tmp/ (no idea where these came from? hacked?)

drwxrwxrwt   6 root  wheel    204  4 May 12:05 .
drwxr-xr-x   5 root  wheel    170  4 May 07:37 ..
-rw-------   1 joe   wheel  12288  4 May 12:05 .crontab.FMpeV8DU4U.swp
drwxr-xr-x  20 joe   wheel    680  4 May 09:00 .d
-rw-------   1 joe   staff     41  4 May 12:05 crontab.FMpeV8DU4U
drwx------   2 joe   wheel     68  4 May 12:05 v5792
srwxrwxrwx   1 root  wheel      0  4 May 07:38 ARD_ABJMMRT
-rw-r--r--   1 root  wheel    645  4 May 07:39 mcx_compositor
-rw-r--r--   1 root  wheel   3413  4 May 08:46 users.txt

mail:/tmp/.d bob$ ls -al total 1128

drwxr-xr-x  20 joe  wheel     680  4 May 09:00 .
drwxrwxrwt   6 root wheel     204  4 May 12:05 ..
-rwxr-xr-x   1 joe  wheel     250  4 May 12:00 1
-rwxr-xr-x   1 joe  wheel     250  4 May 12:00 2
-rwxr-xr-x   1 joe  wheel      34  4 May 08:29 LinkEvents
-rwxr-xr-x   1 joe  wheel     317 30 Oct  2006 autorun
-rwxr-xr-x   1 joe  wheel  491112 23 Jul  2006 bash
-rw-r--r--   1 joe  wheel      41  4 May 08:28 cron.d
-rw-r--r--   1 joe  wheel    1982  4 May 12:30 dorob.seen
-rwxr-xr-x   1 joe  wheel   22465 23 Jul  2006 m.help
-rwxr-xr-x   1 joe  wheel    1022  4 May 12:00 m.levels
-rw-------   1 joe  wheel       4  4 May 08:28 m.pid
-rw-r--r--   1 joe  wheel     871  4 May 12:00 m.session
-rwxr-xr-x   1 joe  wheel    1244  4 May 08:28 m.set
-rw-r--r--   1 joe  wheel       8  4 May 08:28 mech.dir
drwxr-xr-x  11 joe  wheel     374 26 Dec  2008 r
-rwxr-xr-x   1 joe  wheel      29 30 Oct  2006 run
-rw-r--r--   1 joe  wheel     500  4 May 12:30 srjfs.seen
-rwxr-xr-x   1 joe  wheel      28 26 Dec  2008 start
-rwxr--r--   1 joe  wheel     151  4 May 08:28 update

Not sure if this is helpful but including it because i'm not sure why it's there...Contents of users.txt:

mail:/tmp bob$ sudo more users.txt
Password:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>imapRequests</key>
        <integer>11</integer>
        <key>popRequests</key>
        <integer>0</integer>
        <key>state</key>
        <string>RUNNING</string>
        <key>totalRequests</key>
        <integer>11</integer>
        <key>usersArray</key>
        <array>
                <dict>
                        <key>connectionElapsedTime</key>
                        <integer>1275</integer>
                        <key>ipAddress</key>
                        <string>10.1.10.181</string>
                        <key>name</key>
                        <string>jim</string>
                        <key>number</key>
                        <string>1</string>
                        <key>type</key>
                        <string>imap</string>
                </dict>
     ...repeat a few times...
                <dict>
                        <key>connectionElapsedTime</key>
                        <integer>1164</integer>
                        <key>ipAddress</key>
                        <string>241.114.25.183</string>
                        <key>name</key>
                        <string>bob</string>
                        <key>number</key>
                        <string>1</string>
                        <key>type</key>
                        <string>imap</string>
                </dict>
     ...repeat a few times...
        </array>
</dict>
</plist>

Note3:

System Log getting bombarded with this every 2-3 seconds:

May  4 12:30:45 mail sshd[7758]: /etc/sshd_config line 93: Deprecated option VerifyReverseMapping
May  4 12:30:48 mail xinetd[352]: service ssh, IPV6_ADDRFORM setsockopt() failed: Protocol not available (errno = 42)
May  4 12:30:48 mail xinetd[352]: START: ssh pid=7760 from=211.210.42.102

Answer 1

Given the /tmp/.d name, I'm guessing you've been hacked. I can't imagine anyone would name something that for normal reasons.

Strictly speaking, what it means is that the script /tmp/.d/update is being run by cron from Joe's home directory, but doesn't have permissions to be operating on specific directories specified in the script.

Answer 2

cannot access parent directories: Permission denied

means it can't read/write directory above the one the script is running from.

Post your script.

Most likely your script is working when you run it by hand as root, but by default, its not running as root from cron. You can change that, however, byt adding username to your command in /etc/crontab