You can set up a file to control access to the at command, permitting only specified users to create, remove, or display queue information about their at jobs. The file that controls access to the at command, /etc/cron.d/at.deny, consists of a list of user names, one user name per line. The users who are listed in this file cannot access at commands.
The following user names are a part of the at.deny file, which is created during the Oracle Solaris software installation.
daemon bin smtp nuucp listen nobody noaccess
With superuser privileges, you can edit the at.deny file to add other user names whose at command access you want to restrict.
As root, edit the /etc/cron.d/at.deny file to add the names of users that you want to prevent from using the at commands. Add only one user name per line.
daemon bin smtp nuucp listen nobody noaccess username1 username2 username3 ...Example 41 Denying at Access
The following example shows an at.deny file that has been edited so that the users smith and jones cannot access the at command.
$ cat at.deny daemon bin smtp nuucp listen nobody noaccess jones smith
To verify that a username was added correctly to the /etc/cron.d/at.deny file, use the at -l command while logged in as the user. For example, if the logged-in user smith cannot access the at command, the following message is displayed:
# su smith Password: # at -l at: you are not authorized to use at. Sorry.
Likewise, if the user tries to submit an at job, the following message is displayed:
# at 2:30pm at: you are not authorized to use at. Sorry.
This message confirms that the user is listed in the at.deny file.
If at command access is allowed, then the at -l command returns nothing.