Go to main content

Managing System Information, Processes, and Performance in Oracle® Solaris 11.4

Exit Print View

Updated: October 2019
 
 

Controlling Access to the at Command

You can set up a file to control access to the at command, permitting only specified users to create, remove, or display queue information about their at jobs. The file that controls access to the at command, /etc/cron.d/at.deny, consists of a list of user names, one user name per line. The users who are listed in this file cannot access at commands.

The following user names are a part of the at.deny file, which is created during the Oracle Solaris software installation.

daemon
bin
smtp
nuucp
listen
nobody
noaccess

In the root role, you can edit the at.deny file to add other user names whose at command access you want to restrict.

Denying Access to the at Command

As root, edit the /etc/cron.d/at.deny file to add the names of users that you want to prevent from using the at commands. Add only one user name per line.

daemon
bin
smtp
nuucp
listen
nobody
noaccess
username1
username2
username3
...
Example 42  Denying at Access

The following example shows an at.deny file that has been edited so that the users dsmith and jdoe cannot access the at command.

$ cat at.deny
daemon
bin
smtp
nuucp
listen
nobody
noaccess
jdoe
dsmith

Verifying That at Command Access Is Denied

To verify that a username was added correctly to the /etc/cron.d/at.deny file, use the at -l command while logged in as the user. For example, if the logged-in user dsmith cannot access the at command, the following message is displayed:

# su dsmith
Password:
$ at -l
at: you are not authorized to use at.  Sorry.

If at command access is allowed, then the at -l command returns nothing.

Likewise, if the user tries to submit an at job, the following message is displayed:

$ at 2:30pm
at: you are not authorized to use at.  Sorry.

This message confirms that the user is listed in the at.deny file.