cron
and at
pam_apparmor
cron
and at
#Edit source
This chapter explains how to restrict access to the cron
and at
daemons to improve the security of a system.
cron
daemon #Edit source
The cron
system is used to automatically run commands in the background at
predefined times. For more information about cron
, refer to the Book “Reference”, Chapter 15 “Special system features”, Section 15.1.2 “The cron package”.
The cron.allow
file specifies a list of users that are
allowed to execute jobs via cron
. The file does not exist by default, so
all users can create cron
jobs—except for those listed in
cron.deny
.
To prevent users except for root
from creating cron
jobs, perform
the following steps.
Create an empty file /etc/cron.allow
:
tux >
sudo
touch
/etc/cron.allow
Allow users to create cron
jobs by adding their user names to the file:
tux >
sudo
echo
"tux" >> /etc/cron.allow
To verify, try creating a cron
job as non-root user listed in
cron.allow
. You should see the message:
tux >
crontab -e
no crontab for tux - using an empty one
Quit the crontab editor and try the same with a user not listed in the file (or before adding them in step 2 of this procedure):
wilber >
crontab -e
You (wilber) are not allowed to use this program (crontab) See crontab(1) for more information
cron
jobs
Implementing cron.allow
prevents users from
creating new cron
jobs. Existing jobs run, even for users
listed in cron.deny
. To prevent this, create the file
as described and remove existing user crontabs from the directory
/var/spool/cron/tabs
to ensure they are not run
anymore.
systemd
timer units
You should also consider switching to systemd
timer units, as they allow
for more powerful and reliable task execution. By default, users cannot use
them to run code when they are not logged in. This limits the way users can
interact with the system while not being connected to it.
For more information about systemd
timer units, refer to Book “Reference”, Chapter 10 “The systemd
daemon”, Section 10.7 “systemd
timer units”.
at
scheduler #Edit source
The at
job execution system allows
users to scheduled one-time running jobs. The at.allow
file specifies a list of users that are allowed to schedule jobs via
at
. The file does not exist by
default, so all users can schedule at
jobs—except for those listed in at.deny
)
To prevent users except for root
from scheduling jobs with at
, perform the following steps.
Create an empty file /etc/at.allow
:
tux >
sudo
touch
/etc/at.allow
Allow users to schedule jobs with at
by adding their user names to the file:
tux >
sudo
echo
"tux" >> /etc/at.allow
To verify, try scheduling a job as non-root user listed in
at.allow
:
tux >
at 00:00
at>
Quit the at
prompt with
Ctrl–C and
try the same with a user not listed in the file (or
before adding them in step 2 of this procedure):
wilber >
at 00:00
You do not have permission to use at.
at
at
is not widely used anymore.
If you do not have valid use cases, consider uninstalling the daemon instead
of just restricting its access.