Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]
documentation.suse.com / SUSE Linux Enterprise Desktop Documentation / Security and Hardening Guide / Local security / Restricting cron and at
Applies to SUSE Linux Enterprise Desktop 15 SP6

15 Restricting cron and at

This chapter explains how to restrict access to the cron and at daemons to improve the security of a system.

15.1 Restricting the cron daemon

The cron system is used to automatically run commands in the background at predefined times. For more information about cron, refer to the Section 30.1.2, “The cron package”.

The cron.allow file specifies a list of users that are allowed to execute jobs via cron. The file does not exist by default, so all users can create cron jobs—except for those listed in cron.deny.

To prevent users except for root from creating cron jobs, perform the following steps.

  1. Create an empty file /etc/cron.allow:

    tux > sudo touch /etc/cron.allow
  2. Allow users to create cron jobs by adding their user names to the file:

    tux > sudo echo "tux" >> /etc/cron.allow
  3. To verify, try creating a cron job as non-root user listed in cron.allow. You should see the message:

    tux > crontab -e
    no crontab for tux - using an empty one

    Quit the crontab editor and try the same with a user not listed in the file (or before adding them in step 2 of this procedure):

    wilber > crontab -e
    You (wilber) are not allowed to use this program (crontab)
    See crontab(1) for more information
Important
Important: Existing cron jobs

Implementing cron.allow prevents users from creating new cron jobs. Existing jobs run, even for users listed in cron.deny. To prevent this, create the file as described and remove existing user crontabs from the directory /var/spool/cron/tabs to ensure they are not run anymore.

Note
Note: Switching to systemd timer units

You should also consider switching to systemd timer units, as they allow for more powerful and reliable task execution. By default, users cannot use them to run code when they are not logged in. This limits the way users can interact with the system while not being connected to it.

For more information about systemd timer units, refer to Section 19.7, “systemd timer units”.

15.2 Restricting the at scheduler

The at job execution system allows users to scheduled one-time running jobs. The at.allow file specifies a list of users that are allowed to schedule jobs via at. The file does not exist by default, so all users can schedule at jobs—except for those listed in at.deny)

To prevent users except for root from scheduling jobs with at, perform the following steps.

  1. Create an empty file /etc/at.allow:

    tux > sudo touch /etc/at.allow
  2. Allow users to schedule jobs with at by adding their user names to the file:

    tux > sudo echo "tux" >> /etc/at.allow
  3. To verify, try scheduling a job as non-root user listed in at.allow:

    tux > at 00:00
    at>

    Quit the atprompt with CtrlC and try the same with a user not listed in the file (or before adding them in step 2 of this procedure):

    wilber > at 00:00
    You do not have permission to use at.
Note
Note: Uninstalling at

at is not widely used anymore. If you do not have valid use cases, consider uninstalling the daemon instead of just restricting its access.