System Administration Guide: Advanced Administration
Previous Next

Document Information

Preface

1.  Managing Terminals and Modems (Overview)

2.  Setting Up Terminals and Modems (Tasks)

3.  Managing Serial Ports With the Service Access Facility (Tasks)

4.  Managing System Resources (Overview)

5.  Displaying and Changing System Information (Tasks)

6.  Managing Disk Use (Tasks)

7.  Managing Quotas (Tasks)

8.  Scheduling System Tasks (Tasks)

Creating and Editing crontab Files (Task Map)

Ways to Automatically Execute System Tasks

Scheduling a Repetitive System Task (cron)

Creating and Editing crontab Files

How to Create or Edit a crontab File

How to Verify That a crontab File Exists

Displaying crontab Files

How to Display a crontab File

Removing crontab Files

How to Remove a crontab File

Controlling Access to the crontab Command

How to Deny crontab Command Access

How to Limit crontab Command Access to Specified Users

Using the at Command (Task Map)

Scheduling a Single System Task (at)

How to Create an at Job

How to Display the at Queue

How to Verify an at Job

How to Display at Jobs

How to Remove at Jobs

How to Deny Access to the at Command

How to Verify That at Command Access Is Denied

9.  Managing System Accounting (Tasks)

10.  System Accounting (Reference)

11.  Managing System Performance (Overview)

12.  Managing System Processes (Tasks)

13.  Monitoring System Performance (Tasks)

14.  Troubleshooting Software Problems (Overview)

15.  Managing System Messages

16.  Managing Core Files (Tasks)

17.  Managing System Crash Information (Tasks)

18.  Troubleshooting Miscellaneous Software Problems (Tasks)

19.  Troubleshooting File Access Problems (Tasks)

20.  Resolving UFS File System Inconsistencies (Tasks)

21.  Troubleshooting Software Package Problems (Tasks)

Index

Controlling Access to the crontab Command

You can control access to the crontab command by using two files in the /etc/cron.d directory: cron.deny and cron.allow. These files permit only specified users to perform crontab command tasks such as creating, editing, displaying, or removing their own crontab files.

The cron.deny and cron.allow files consist of a list of user names, one user name per line.

These access control files work together as follows:

  • If cron.allow exists, only the users who are listed in this file can create, edit, display, or remove crontab files.

  • If cron.allow does not exist, all users can submit crontab files, except for users who are listed in cron.deny.

  • If neither cron.allow nor cron.deny exists, superuser privileges are required to run the crontab command.

Superuser privileges are required to edit or create the cron.deny and cron.allow files.

The cron.deny file, which is created during SunOS software installation, contains the following user names: 

$ cat /etc/cron.d/cron.deny
daemon
bin
smtp
nuucp
listen
nobody
noaccess

None of the user names in the default cron.deny file can access the crontab command. You can edit this file to add other user names that will be denied access to the crontab command.

No default cron.allow file is supplied. So, after Solaris software installation, all users (except users who are listed in the default cron.deny file) can access the crontab command. If you create a cron.allow file, only these users can access the crontab command.

How to Deny crontab Command Access

  1. Become superuser or assume an equivalent role.

    Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

  2. Edit the /etc/cron.d/cron.deny file and add user names, one user per line. Include users who will be denied access to the crontab commands.
    daemon
bin
smtp
nuucp
listen
nobody
noaccess
username1
username2
username3
.
.
.
  3. Verify that the /etc/cron.d/cron.deny file contains the new entries.
    # cat /etc/cron.d/cron.deny
daemon
bin
nuucp
listen
nobody
noaccess

How to Limit crontab Command Access to Specified Users

  1. Become superuser or assume an equivalent role.

    Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

  2. Create the /etc/cron.d/cron.allow file.
  3. Add the root user name into the cron.allow file.

    If you do not add root to the file, superuser access to crontab commands will be denied.

  4. Add the user names, one user name per line. Include users that will be allowed to use the crontab command.
    root
username1
username2
username3
.
.
.
Example 8-6 Limiting crontab Command Access to Specified Users

The following example shows a cron.deny file that prevents user names jones, temp, and visitor from accessing the crontab command.

$ cat /etc/cron.d/cron.deny
daemon
bin
smtp
nuucp
listen
nobody
noaccess
jones
temp
visitor

The following example shows a cron.allow file. The users root, jones, lp, and smith are the only users who can access the crontab command. 

$ cat /etc/cron.d/cron.allow
root
jones
lp
smith

How to Verify Limited crontab Command Access

To verify if a specific user can access the crontab command, use the crontab -l command while you are logged into the user account. 

$ crontab -l

If the user can access the crontab command, and already has created a crontab file, the file is displayed. Otherwise, if the user can access the crontab command but no crontab file exists, a message similar to the following message is displayed:

crontab: can't open your crontab file

Either this user either is listed in the cron.allow file (if the file exists), or the user is not listed in the cron.deny file.

If the user cannot access the crontab command, the following message is displayed whether or not a previous crontab file exists: 

crontab: you are not authorized to use cron. Sorry.

This message means that either the user is not listed in the cron.allow file (if the file exists), or the user is listed in the cron.deny file.
Previous Next