In SuSE and openSUSE the following files control access:
/etc/at.allow – only the users listed in the file are allowed to run ‘at’
/etc/at.deny – the users listed in the file are denied permission to run ‘at’
/etc/cron.allow – only the users listed in the file are allowed to run ‘crontab’
/etc/cron.deny – the users listed in the file are denied permission to run ‘crontab’
How it works?
1. If either /etc/cron.allow & /etc/at.allow or /etc/cron.deny & /etc/at/deny files don’t exist then only Root user can run crontab & at commands
2. If /etc/cron.deny & /etc/at.deny files exist and /etc/cron.allow & /etc/at.allow don’t exist (which is the default) then all users except the ones listed in the deny files are allowed access.
3. If /etc/cron.allow & /etc/at.allow files exist and /etc/cron.deny & /etc/at.deny don’t exist (which is the default) then all users listed in the allow files are only allowed access.
4. If both /etc/cron.allow & /etc/at.allow files and /etc/cron.deny & /etc/at.deny exist then the deny files are ignored and all users listed in the allow files are only allowed access.
How to use it?
Ideally,it is best to create a /etc/cron.allow and/also /etc/at.allow file and ensure those users wo only have a need to run cron or at jobs are entered into this file. This will allow access only to those users and deny every other user (except root) the permission to run cron/at jobs on the system
So, for instance if a user is listed in /etc/cron.deny file and the /etc/cron.allow file doesn’t exist then this is the outcome when he runs the “crontab” command:
sai@opensuse:/etc> crontab -l
You (sai) are not allowed to use this program (crontab)
See crontab(1) for more information