Controlling Access to the crontab Command
You can control access to the crontab command by using two files in the /etc/cron.d directory: cron.deny and cron.allow. These files permit only specified users to perform the crontab command tasks such as creating, editing, displaying, or removing their own crontab files.
The cron.deny and cron.allow files consist of a list of user names, one per line. These access control files work together as follows:
-
If cron.allow exists, only the users listed in this file can create, edit, display, or remove crontab files.
-
If cron.allow does not exist, all users can submit crontab files, except for users listed in cron.deny.
-
If neither cron.allow nor cron.deny exists, superuser privileges are required to run the crontab command.
Superuser privileges are required to edit or create the cron.deny and cron.allow files.
The cron.deny file, created during SunOS software installation, contains the following user names:
$ cat /etc/cron.d/cron.deny daemon bin smtp nuucp listen nobody noaccess |
None of the user names in the default cron.deny file can access the crontab command. You can edit this file to add other user names that will be denied access to the crontab command.
No default cron.allow file is supplied. So, after Solaris software installation, all users (except the ones listed in the default cron.deny file) can access the crontab command. If you create a cron.allow file, only these users can access the crontab command.
How to Deny crontab Access
-
Become superuser.
-
Edit the /etc/cron.d/cron.deny file and add user names, one per line, who will be prevented from using crontab commands.
daemon bin smtp nuucp listen nobody noaccess username1 username2 username3 . . .
-
Verify the /etc/cron.d/cron.deny file.
# cat /etc/cron.d/cron.deny
How to Limit crontab Access to Specified Users
-
Create the /etc/cron.d/cron.allow file.
-
Enter the root user name into the cron.allow file.
If you do not add root to the file, superuser access to crontab commands will be denied.
-
Enter the user names, one per line, that will be allowed to use the crontab command.
root username1 username2 username3 . . .
Examples—Limiting crontab Access to Specified Users
The following example shows a cron.deny file that prevents user names visitor, jones, and temp from accessing the crontab command.
$ cat /etc/cron.d/cron.denydaemon bin smtp nuucp listen nobody noaccess jones temp visitor |
The following example shows a cron.allow file. The users smith, jones, lp, and root are the only ones who can access the crontab command.
$ cat /etc/cron.d/cron.allow root jones lp smith |
How to Verify Limited crontab Access
To verify if a specific user can access crontab, use the crontab -l command while you are logged into the user account.
$ crontab -l |
If the user can access crontab, and already has created a crontab file, the file is displayed. Otherwise, if the user can access crontab but no crontab file exists, a message such as the following is displayed:
crontab: can't open your crontab file |
This user either is listed in cron.allow (if the file exists), or the user is not listed in cron.deny.
If the user cannot access the crontab command, the following message is displayed whether or not a previous crontab file exists:
crontab: you are not authorized to use cron. Sorry. |
This message means that either the user is not listed in cron.allow (if the file exists), or the user is listed in cron.deny.
- © 2010, Oracle Corporation and/or its affiliates