As you may be aware, ‘AT’ allows you to run a command or script at a particular time (say at midnight) and ‘CRONTAB’ allows you to run commands and scripts at scheduled times and at regular intervals. If you have SuSE or an openSUSE system in a multi-user environment then it is important to control access to the crontab and at utility to ensure system availability and security. This is one of the many steps in the system hardening procedures.
In SuSE and openSUSE the following files control access:
/etc/at.allow – only the users listed in the file are allowed to run ‘at’
/etc/at.deny – the users listed in the file are denied permission to run ‘at’
/etc/cron.allow – only the users listed in the file are allowed to run ‘crontab’
/etc/cron.deny – the users listed in the file are denied permission to run ‘crontab’
How it works?
1. If either /etc/cron.allow & /etc/at.allow or /etc/cron.deny & /etc/at/deny files don’t exist then only Root user can run crontab & at commands
2. If /etc/cron.deny & /etc/at.deny files exist and /etc/cron.allow & /etc/at.allow don’t exist (which is the default) then all users except the ones listed in the deny files are allowed access.
3. If /etc/cron.allow & /etc/at.allow files exist and /etc/cron.deny & /etc/at.deny don’t exist (which is the default) then all users listed in the allow files are only allowed access.
4. If both /etc/cron.allow & /etc/at.allow files and /etc/cron.deny & /etc/at.deny exist then the deny files are ignored and all users listed in the allow files are only allowed access.
How to use it?
Ideally,it is best to create a /etc/cron.allow and/also /etc/at.allow file and ensure those users wo only have a need to run cron or at jobs are entered into this file. This will allow access only to those users and deny every other user (except root) the permission to run cron/at jobs on the system
So, for instance if a user is listed in /etc/cron.deny file and the /etc/cron.allow file doesn’t exist then this is the outcome when he runs the “crontab” command:
sai@opensuse:/etc> crontab -l
You (sai) are not allowed to use this program (crontab)
See crontab(1) for more information