Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Problem with cron.allow

517 views
Skip to first unread message

fabrice

unread,
Jun 4, 2007, 10:15:06 AM6/4/07
to
Hello,

I would like to restrict acces to the crontab sytem only for root.
I m working with a debian sarge.
So i have created the /etc/cron.allow file with root inside.
But it seems not to work, because each user can still create cron table.

have i missed something ?

thanks.
fab


Patrick

unread,
Jun 4, 2007, 1:02:53 PM6/4/07
to
In news:f416pb$emv$1...@s1.news.oleane.net,
fabrice <emou...@test.com> wrote:

Does cron.deny exist? If so, remove it. Did you restart the cron daemon?

fabrice

unread,
Jun 5, 2007, 3:47:39 AM6/5/07
to
Hello,

cron.deny does not exist.
i have found the problem, but i m not sure to understand all the subtleties.

I have set the file permissions on 600 for /etc/cron.allow.
So when a user call the command crontab, the file /etc/cron.allow could not
be read.
By changing to 644, the file /etc/cron.allow works.

But i don't understand how the daemon cron works :
I have 3 questions (sorry )

1) It seems to run under root

ps aux | grep cron
root 13262 0.0 0.0 1764 820 ? Ss Jun04 0:00
/usr/sbin/cron

So why can't it read the /etc/cron.allow with file permission 600.

2) Is there a way to modify the default ebian behavior with cron.
I can understand that if /etc/cron.allow or /etc/cron.deny doesn't exist,
evevybody can use the crontab!
I prefer the policy : if they don't exist, only root can use crontab.
Can we change that ?

3/ What is the group crontab ?

thnaks a lot
fabrice


"Patrick" <ptri.c.k.@statrerv.corn> a écrit dans le message de news:
5ciuubF...@mid.individual.net...

Bill Marcum

unread,
Jun 6, 2007, 1:14:19 PM6/6/07
to
On Tue, 5 Jun 2007 09:47:39 +0200, fabrice
<emou...@test.com> wrote:
>
>
> Hello,
>
> cron.deny does not exist.
> i have found the problem, but i m not sure to understand all the subtleties.
>
> I have set the file permissions on 600 for /etc/cron.allow.
> So when a user call the command crontab, the file /etc/cron.allow could not
> be read.
> By changing to 644, the file /etc/cron.allow works.
>
> But i don't understand how the daemon cron works :
> I have 3 questions (sorry )
>
> 1) It seems to run under root
>
> ps aux | grep cron
> root 13262 0.0 0.0 1764 820 ? Ss Jun04 0:00
> /usr/sbin/cron
>
> So why can't it read the /etc/cron.allow with file permission 600.
>
ls -l /usr/bin/crontab
-rwxr-sr-x 1 root crontab 26668 2005-11-15 07:42 /usr/bin/crontab
The crontab command doesn't have setuid permission, only setgid.

> 2) Is there a way to modify the default ebian behavior with cron.
> I can understand that if /etc/cron.allow or /etc/cron.deny doesn't exist,
> evevybody can use the crontab!
> I prefer the policy : if they don't exist, only root can use crontab.
> Can we change that ?
>

Try "chmod o-x /usr/bin/crontab". If you want to allow a user to use
crontab, you can add them to the crontab group or use sudo.

> 3/ What is the group crontab ?
>


--
BOFH excuse #203:
Write-only-memory subsystem too slow for this machine. Contact your
local dealer.

0 new messages