If the cron.allow file exists, then you must be listed therein in order
to be allowed to use this command. If the cron.allow file does not
exist but the cron.deny file does exist, then you must not be listed in
the cron.deny file in order to use this command. If neither of these
files exists, only the super user will be allowed to use this command.
On Debian, however, this is very different. If both those files are missing, than anyone on the system can take advantage of crontab(1). According to the Debian mag page:
If the /etc/cron.allow file exists, then you must be listed therein in
order to be allowed to use this command. If the /etc/cron.allow file
does not exist but the /etc/cron.deny file does exist, then you must
not be listed in the /etc/cron.deny file in order to use this command.
If neither of these files exists, then depending on site-dependent con?
figuration parameters, only the super user will be allowed to use this
command, or all users will be able to use this command. For standard
Debian systems, all users may use this command.
Now, both RHEL and Debian are running the cron developed by Paul Vixie. That much is clear. So, why the extreme difference between the two? Who is going against the grain, and who is sticking with the standard vanilla behavior? Curious, I did some research on Vixie cron, and it turns out that Paul Vixie developed it for BSD 4.3. Further, it's been taken up by the ISC (BIND, DHCP, etc) for future development. Now, I don't have BSD 4.3, but I do have FreeBSD, OpenBSD and NetBSD. Logging into each of those systems, I find that they are also running Vixie cron. So, curious, I pull up their crontab(1) man page:
If the allow file exists, then you must be listed therein in order to be
allowed to use this command. If the allow file does not exist but the
deny file does exist, then you must not be listed in the deny file in
order to use this command. If neither of these files exists, then
depending on site-dependent configuration parameters, only the super user
will be allowed to use this command, or all users will be able to use
this command. The format of these files is one username per line, with
no leading or trailing whitespace. Lines of other formats will be
ignored, and so can be used for comments.
Their man page is very similiar to Debian's. Both state that if the /etc/cron.allow and /etc/cron.deny files are missing, then depending on site-wide configuration, either only the super-user can install cron jobs or all users on the system can. The RHEL page is the only one "out of place", if you will by saying that if both are missing, only the super-user can install cron jobs.
So, the question comes up, where is this site-wide config? On Debian, I would expect it do be /etc/default/cron. Sure enough, that file exists, but it doesn't appear to have any variables that configure the behavior we're seeking. Digging a bit, I find that PAM can also control who gets to use crontab(1). So, I pull up /etc/pam.d/cron, but I'm not sure if what I'm seeing controls this behavior as well. Then, there's /etc/security/access.conf, which is a configuration for pam_access.so. That entire file is nothing but comments, as is the case on RHEL.
The only file that shows promise is /etc/pam.d/cron, as they are different between Debian and RHEL. But, I can't seem to find any line in the config that says only root can install cron jobs on RHEL and everyone can on Debian, however. To be honest, I would be quite shocked if Debian was deviating from the standard vanilla install. That's not like Debian to do so. Sure, it has done so on occasion, but usually produces a good benefit to the system or administrator (Apache comes to mind). I'm tending to believe that Red Hat is deviating from the norm, as the BSDs and Debian agree on the base install of Vixie cron (man page agrees and both /etc/cron.allow and /etc/cron.deny files missing). My experience has shown that Red Hat deviates from standard quite a bit, where Debian does not.
But, that's not the point. The point is, where is this elusive site-wide configuration file that determines if only root can install cron jobs or all users can with the two cron.allow and cron.deny files missing??? If anyone has some ideas, it would be greatly appreciated.
Thanks,
-- . O . O . O . . O O . . . O . . . O . O O O . O . O O . . O O O O . O . . O O O O . O O O
The only file that shows promise is /etc/pam.d/cron, as they are different between Debian and RHEL. But, I can't seem to find any line in the config that says only root can install cron jobs on RHEL and everyone can on Debian, however. To be honest, I would be quite shocked if Debian was deviating from the standard vanilla install. That's not like Debian to do so. Sure, it has done so on occasion, but usually produces a good benefit to the system or administrator (Apache comes to mind). I'm tending to believe that Red Hat is deviating from the norm, as the BSDs and Debian agree on the base install of Vixie cron (man page agrees and both /etc/cron.allow and /etc/cron.deny files missing). My experience has shown that Red Hat deviates from standard quite a bit, where Debian does not.
More info here:
http://upstart.ubuntu.com/faq.html#replace-cron
http://fedoraproject.org/wiki/Features/Upstart
http://lists.debian.org/debian-devel-announce/2009/09/msg00003.html
http://mjg59.livejournal.com/111453.html
http://sites.google.com/a/chromium.org/dev/chromium-os/chromiumos-design-docs/security-overview
http://wiki.maemo.org/Task:Maemo_roadmap/Fremantle