Go to main content

Managing System Information, Processes, and Performance in Oracle® Solaris 11.4

Exit Print View

Updated: August 2018
 
 

Controlling Access to the crontab Command

You can control access to the crontab command by using two files in the /etc/cron.d directory: cron.deny and cron.allow. These files permit only specified users to perform crontab command tasks such as creating, editing, displaying, or removing their own crontab files.

The cron.deny and cron.allow files consist of a list of user names, one user name per line.

    These access control files work together as follows:

  • If cron.allow exists, only the users who are listed in this file can create, edit, display, or remove crontab files.

  • If cron.allow does not exist, all users can submit crontab files except for users who are listed in cron.deny.

  • If neither cron.allow nor cron.deny exists, you must assume the root role to run the crontab command.

  • In order to edit or create the cron.deny and cron.allow files, you must assume the root role.

The following user names are a part of the cron.deny file, which is created during the Oracle Solaris software installation.

$ cat /etc/cron.d/cron.deny
daemon
bin
smtp
nuucp
listen
nobody
noaccess

None of the user names in the default cron.deny file can access the crontab command. You can edit this file to add other users that will be denied access to the crontab command.

Because no default cron.allow file is supplied, all users except users who are listed in the default cron.deny file can access the crontab command. If you create a cron.allow file, only these users can access the crontab command.

How to Deny crontab Command Access

  1. Assume the root role.

    See Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.

  2. Edit the /etc/cron.d/cron.deny file and add user names, one user per line, who will be denied access to the crontab commands.
    daemon
    bin
    smtp
    nuucp
    listen
    nobody
    noaccess
    username1
    username2
    username3
    ...
  3. Verify that the /etc/cron.d/cron.deny file contains the new entries.
    # cat /etc/cron.d/cron.deny
    daemon
    bin
    nuucp
    listen
    nobody
    noaccess

How to Limit crontab Command Access to Specified Users

  1. Assume the root role.

    See Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.

  2. Create the /etc/cron.d/cron.allow file.
  3. Add the root role to the cron.allow file.

    If you do not add root to the file, root access to crontab commands will be denied.

  4. Add the user names, one user name per line, who will be allowed to use the crontab command.
    root
    username1
    username2
    username3
    .
    .
    .
Example 38  Limiting crontab Command Access to Specified Users

The following example shows a cron.deny file that prevents user names jones, temp, and visitor from accessing the crontab command.

$ cat /etc/cron.d/cron.deny
daemon
bin
smtp
nuucp
listen
nobody
noaccess
jones
temp
visitor

The following example shows a cron.allow file. The users root, jones, and smith are the only users who can access the crontab command.

$ cat /etc/cron.d/cron.allow
root
jones
smith

Verifying Limited crontab Command Access

To verify whether a specific user can access the crontab command, use the crontab -l command while you are logged into the user account.

$ crontab -l

If the user can access the crontab command and already has created a crontab file, the file is displayed. The following message is displayed if the user can access the crontab command but no crontab file exists.

crontab: can't open your crontab file

Either this user is listed in the cron.allow file (if the file exists) or the user is not listed in the cron.deny file.

The following message is displayed if the user cannot access the crontab command, regardless of whether a previous crontab file exists.

crontab: you are not authorized to use cron. Sorry.

This message means that either the user is not listed in the cron.allow file (if the file exists) or the user is listed in the cron.deny file.