Cron – Controlling who is allowed to schedule jobs

Overview

By the end of this article you should be able to answer the following questions:


How do you prevent the user 'david', from creating their own cron jobs (using the crontab command)?

Append their username to the following file:
$ cat /etc/cron.deny
david

By default everyone can create their own cron jobs (via the crontab command), how do you reverse this so that by default no one can create their own jobs?

$ touch /etc/cron.allow


How do you prevent the user 'david', from creating their own 'at' jobs (using the 'at' command)?

# Append their username to the following file:
/etc/at.deny

By default everyone can create their own 'at' jobs (via the 'at' command), how do you reverse this so that by default no one can create their own jobs?

/etc/at.allow


Controlling who can create cron jobs

                 
By default all users are allowed to use the crontab command to manage their respective cron jobs. To restrict a user from using the crontab command, we can add their names to the /etc/cron.deny file:

$ cat /etc/passwd | egrep 'tom|jerry'
tom:x:1003:1003::/home/tom:/bin/bash
jerry:x:1004:1004::/home/jerry:/bin/bash
$ cat /etc/cron.deny
jerry
tom

Notice, each user name is on it’s own line.

After that, the listed users can no longer use the crontab command, which in turn means that they can’t manage their cron jobs:

$ su - jerry
Last login: Sat May  9 21:48:35 BST 2015 on pts/1
$ crontab -e
You (jerry) are not allowed to use this program (crontab)
See crontab(1) for more information
$ crontab -l
You (jerry) are not allowed to use this program (crontab)
See crontab(1) for more information

Notice, you can’t even using crontab for viewing a list of cron jobs.

By default everyone has crontab access, and you remove access by adding usernames to the /etc/cron.deny. If you have a lot of users and the majority of them are not supposed to have crontab access, then a better option is to change the default, so that by default user’s don’t have crontab access. This is done by simply creating the /etc/cron.allow file:

$ su - homer
Last login: Sat Apr 11 18:23:26 BST 2015 from powershellpc.codingbee.dyndns.org on pts/7
$ crontab -l
no crontab for homer
$ exit
logout
$ touch /etc/cron.allow
$ su - homer
Last login: Sat May  9 22:09:19 BST 2015 on pts/1
$ crontab -l
You (homer) are not allowed to use this program (crontab)
See crontab(1) for more information

Now you can give crontab access to users by explicitly adding their name to the /etc/cron.allow file.

The equivalent privelege system exists for the “at” system. By default, anyone can create an “at” job unless their name is added to:

/etc/at.deny

If you want to change the default so that no one can set “at” jobs, then you need to delete the above file and replace it with:

/etc/at.allow

Note: You can either have the .allow file or the .deny file, but you can’t have them both exist at the same time. I think the same applies to cron.allow and cron.deny.