15 Restricting cron
and at
#
This chapter explains how to restrict access to the cron
and at
daemons to improve the security of a system.
15.1 Restricting the cron
daemon #
The cron
system is used to automatically run commands in the background at
predefined times. For more information about cron
, refer to the Book “Reference”, Chapter 15 “Special system features”, Section 15.1.2 “The cron package”.
The cron.allow
file specifies a list of users that are
allowed to execute jobs via cron
. The file does not exist by default, so
all users can create cron
jobs—except for those listed in
cron.deny
.
To prevent users except for root
from creating cron
jobs, perform
the following steps.
Create an empty file
/etc/cron.allow
:tux >
sudo
touch
/etc/cron.allowAllow users to create
cron
jobs by adding their usernames to the file:tux >
sudo
echo
"tux" >> /etc/cron.allowTo verify, try creating a
cron
job as non-root user listed incron.allow
. You should see the message:tux >
crontab -e
no crontab for tux - using an empty oneQuit the crontab editor and try the same with a user not listed in the file (or before adding them in step 2 of this procedure):
wilber >
crontab -e
You (wilber) are not allowed to use this program (crontab) See crontab(1) for more information
cron
jobs
Implementing cron.allow
only prevents users from
creating new cron
jobs. Existing jobs will still be run, even for users
listed in cron.deny
. To prevent this, create the file
as described and remove existing user crontabs from the directory
/var/spool/cron/tabs
to ensure they are not run
anymore.
systemd
timer units
You should also consider switching to systemd
timer units, as they allow
for more powerful and reliable task execution. By default, users cannot use
them to run code when they are not logged in. This limits the way users can
interact with the system while not being connected to it.
For more information about systemd
timer units, refer to Book “Reference”, Chapter 10 “The systemd
daemon”, Section 10.7 “systemd
timer units”.
15.2 Restricting the at
scheduler #
The at
job execution system allows
users to scheduled one-time running jobs. The at.allow
file specifies a list of users that are allowed to schedule jobs via
at
. The file does not exist by
default, so all users can schedule at
jobs—except for those listed in at.deny
)
To prevent users except for root
from scheduling jobs with at
, perform the following steps.
Create an empty file
/etc/at.allow
:tux >
sudo
touch
/etc/at.allowAllow users to schedule jobs with
at
by adding their usernames to the file:tux >
sudo
echo
"tux" >> /etc/at.allowTo verify, try scheduling a job as non-root user listed in
at.allow
:tux >
at 00:00
at>Quit the
at
prompt with Ctrl–C and try the same with a user not listed in the file (or before adding them in step 2 of this procedure):wilber >
at 00:00
You do not have permission to use at.
at
at
is not widely used anymore.
If you do not have valid use cases, consider uninstalling the daemon instead
of just restricting its access.