If a job requires that a profile shell execute the job, the Security Administrator role must ensure that all of the job's commands are also in a rights profile assigned to the invoking user.
cron jobs can be executed using a profile shell. Profile shells are documented on the pfexec(1) man page. A profile shell can execute a cron job if:
The invoking account's login shell is the one of the profile shells or
The $SHELL
environment variable is set to/bin/[pfsh|pksh|pcsh]
Otherwise, the cron program uses the default Bourne shell, sh(1), for cron jobs.
For at jobs there is a third case in which the profile shell is used. A user can use the at program with the -c (for csh), -k (for ksh), -s (for sh), option along with the -P (for profile shell) option to specify the shell which should run the job. Therefore, at jobs are executed in the profile shell if:
The invoking account's login shell is one of the profile shells or
The $SHELL
environment variable is set to a profile shell or
The at command is specified with the -P option
If none of the previously described conditions apply, the at program uses:
Any shell specified with either the -c, -k, or -s options or
The default shell, sh