Trying to deny users from using Cron

pluckypigeon · 2010-01-05 06:19:46

I am trying to set it so that only Root can use Cron.

I have tried 'touch /etc/cron.deny' and adding usernames but to no avail.

Anyone have any ideas?? Thanks in advance

ngoonee · 2010-01-05 06:45:06

Uh, isn't cron by default only editable by root?

pluckypigeon · 2010-01-05 06:48:12

ngoonee wrote:

Uh, isn't cron by default only editable by root?

Thanks for your response but no

I can log in as any user and type crontab -e

Gen2ly · 2010-01-05 06:50:38

/etc/cron.deny and /etc/cron.allow is for vixie cron and Arch uses dcron. Not on Arch now but vixie cron is probably in the repos, as I don't think that dcron has this ability.

pluckypigeon · 2010-01-05 06:57:23

Gen2ly wrote:

/etc/cron.deny and /etc/cron.allow is for vixie cron and Arch uses dcron. Not on Arch now but vixie cron is probably in the repos, as I don't think that dcron has this ability.

Thanks for your response, vixie cron is in the AUR. Does this mean I have to remove dcron or is there another way?

pluckypigeon · 2010-01-05 07:07:25

Ok, I found this on the LFS website

If you want to restrict access to cron, do:
groupadd cron
chown root.cron /usr/bin/crontab
chmod 4750 /usr/bin/crontab

Now add every user that is allowed to use cron to the new group 'cron'.

http://www.linuxfromscratch.org/hints/d … /dcron.txt

Last edited by pluckypigeon (2010-01-05 07:09:08)

ngoonee · 2010-01-05 09:32:37

pluckypigeon wrote:

ngoonee wrote:
Uh, isn't cron by default only editable by root?
Thanks for your response but no
I can log in as any user and type crontab -e

Sorry, I edit by hand and assumed that crontab required root rights :shy:

Profjim · 2010-01-19 17:48:06

pluckypigeon wrote:

Ok, I found this on the LFS website
If you want to restrict access to cron, do:
groupadd cron
chown root.cron /usr/bin/crontab
chmod 4750 /usr/bin/crontab

Now add every user that is allowed to use cron to the new group 'cron'.
http://www.linuxfromscratch.org/hints/d … /dcron.txt

Or you can just do:

chgrp root /usr/bin/crontab
chmod 4750 /usr/bin/crontab

to add dcron's crontab to the "root" group (and reset its permissions, which get changed when you change its group). crontab is setuid, and will only allow users belonging to whatever group it's assigned to use it

The crontab directory should already be impossible for users without root privileges to modify.

Last edited by Profjim (2010-02-06 20:42:55)

perbh · 2010-01-19 18:53:36

Just to add more confusion to it all ...
I know this is true for slackware, but haven't tried it on arch ...

Each user can have his/her own crontab, so they can all do a 'crontab -e' - but ... it will not run with root priviledges

Cyrusm · 2010-01-19 19:38:13

perbh wrote:

Just to add more confusion to it all ...
I know this is true for slackware, but haven't tried it on arch ...
Each user can have his/her own crontab, so they can all do a 'crontab -e' - but ... it will not run with root priviledges

that is true, each user has their own individual crontab that only they and root may edit. This way, users have the power to create their own scheduled tasks (i.e. change wallpaper, run backups, yada yada).
obviously only root has access to the root crontab.
and crontab entries requiring root privelages must be run from the root crontab. basically, if you don't want regular users changing the root crontab, make sure that they don't have root privelages. if you trust a user enough to give them root privelages, then tell them not to mess with the crontab.

sand_man · 2010-01-19 21:26:40

Yeah but I'm sure there are reasons for stopping the average user from using cron at all. I'm sure I could find some way to abuse system resources without needing root privileges.

Profjim · 2010-01-21 13:16:11

I'm the current developer of dcron. A crontab can be created _for_ any user in the password database; the user doesn't even need to have a login shell.

However, crontabs can only be created _by_ users who belong to the group that the /usr/bin/crontab binary is assigned to. In dcron 4.4, now in [testing], the default group is 'users', but several earlier posts in this thread explain how to change that to another group. So if you don't want users who can't su to root to be able to create crontabs, you can easily do that.

If you want your permission changes to /usr/bin/crontab to persist across updates, look into the customizepkg or customizepkg-new scripts in [aur]. These work hand-in-hand with yaourt; I'm not sure if any other pacman-enhancers also cooperate with them. But at worst, you can use these to script whatever mods you want to make to a PKGBUILD, and then always build upgrades for that package by hand, from abs, using your customizepkg-scripted mods, rather than installing the pre-built binaries for the upgrade with pacman. Building dcron takes only a few seconds.

Arch Linux

#1 2010-01-05 06:19:46

Trying to deny users from using Cron

#2 2010-01-05 06:45:06

Re: Trying to deny users from using Cron

#3 2010-01-05 06:48:12

Re: Trying to deny users from using Cron

#4 2010-01-05 06:50:38

Re: Trying to deny users from using Cron

#5 2010-01-05 06:57:23

Re: Trying to deny users from using Cron

#6 2010-01-05 07:07:25

Re: Trying to deny users from using Cron

#7 2010-01-05 09:32:37

Re: Trying to deny users from using Cron

#8 2010-01-19 17:48:06

Re: Trying to deny users from using Cron

#9 2010-01-19 18:53:36

Re: Trying to deny users from using Cron

#10 2010-01-19 19:38:13

Re: Trying to deny users from using Cron

#11 2010-01-19 21:26:40

Re: Trying to deny users from using Cron

#12 2010-01-21 13:16:11

Re: Trying to deny users from using Cron

Board footer