Controlling Access to crontab
You can control access to crontab by using two files in the /etc/cron.d directory: cron.deny and cron.allow. These files permit only specified users to perform crontab tasks such as creating, editing, displaying, or removing their own crontab files.
The cron.deny and cron.allow files consist of a list of user names, one per line. These access control files work together like this:
-
If cron.allow exists, only the users listed in this file can create, edit, display, or remove crontab files.
-
If cron.allow doesn't exist, all users may submit crontab files, except for users listed in cron.deny.
-
If neither cron.allow nor cron.deny exists, superuser privileges are required to run crontab.
Superuser privileges are required to edit or create the cron.deny and cron.allow files.
During SunOS software installation, a default cron.deny file is provided:
$ cat /etc/cron.d/cron.deny daemon bin smtp nuucp listen nobody noaccess |
None of these user names can access crontab commands. You can edit this file to add other user names who will be denied access to the crontab command.
No default cron.allow file is supplied. This means that, after Solaris software installation, all users (except the ones listed in the default cron.deny file) can access crontab. If you create a cron.allow file, only these users can access crontab commands.
How to Deny crontab Access
-
Become superuser.
-
Edit the /etc/cron.d/cron.deny file and add user names, one per line, who will be prevented from using crontab commands.
daemon bin smtp nuucp listen nobody noaccess username1 username2 username3 . . .
-
Verify the /etc/cron.d/cron.deny file.
# cat /etc/cron.d/cron.deny
How to Limit crontab Access to Specified Users
-
Create the /etc/cron.d/cron.allow file.
-
Enter the user names, one per line, who will be allowed to use crontab commands.
root username1 username2 username3 . . .
Be sure to add root to this list. If you do not, superuser access to crontab commands will be denied.
Examples--Limiting crontab Access to Specified Users
The following example shows a cron.deny file that prevents user names visitor, jones, and temp from accessing crontab.
$ cat /etc/cron.d/cron.deny daemon bin smtp nuucp listen nobody noaccess jones temp visitor |
The following example shows a cron.allow file. The users smith, jones, lp, and root are the only ones who may access crontab.
$ cat /etc/cron.d/cron.allow root jones lp smith |
How to Verify Limited crontab Accesss
To verify whether or not a specific user can access crontab, use the crontab -l command while logged into the user account.
$ crontab -l |
If the user can access crontab, and already has created a crontab file, it will be displayed. Otherwise, if the user can access crontab but no crontab file exists, a message like the following will be displayed:
crontab: can't open your crontab file |
This user either is listed in cron.allow (if it exists), or is not listed in cron.deny.
If the user cannot access crontab, the following message is displayed whether or not a previous crontab file exists:
crontab: you are not authorized to use cron. Sorry. |
This means either that the user is not listed in cron.allow (if it exists), or the user is listed in cron.deny.
- © 2010, Oracle Corporation and/or its affiliates