Level 1 - Server Level 1 - Workstation
Configure /etc/cron.allow
and /etc/at.allow
to allow specific users to use these services. If /etc/cron.allow
or /etc/at.allow
do not exist, then /etc/at.deny
and /etc/cron.deny
are checked. Any user not specifically defined in those files is allowed to use at and cron. By removing the files, only users in /etc/cron.allow
and /etc/at.allow
are allowed to use at and cron. Note that even though a given user is not listed in cron.allow, cron jobs can still be run as that user. The cron.allow file only controls administrative access to the crontab command for scheduling and modifying cron jobs.
On many systems, only the system administrator is authorized to schedule cron
jobs. Using the cron.allow
file to control who can run cron
jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files.
Run the following commands and ensure /etc/cron.deny
and /etc/at.deny
do not exist:
# stat /etc/cron.deny stat: cannot stat '/etc/cron.deny': No such file or directory # stat /etc/at.deny stat: cannot stat '/etc/at.deny': No such file or directory
Run the following command and verify Uid
and Gid
are both 0/root
and Access
does not grant permissions to group
or other
for both /etc/cron.allow
and /etc/at.allow
:
# stat /etc/cron.allow Access: (0600/-rw-------) Uid: ( 0/ root) Gid: ( 0/ root) # stat /etc/at.allow Access: (0600/-rw-------) Uid: ( 0/ root) Gid: ( 0/ root)
Run the following commands to remove /etc/cron.deny
and /etc/at.deny
and create and set permissions and ownership for /etc/cron.allow
and /etc/at.allow
:
# rm /etc/cron.deny # rm /etc/at.deny # touch /etc/cron.allow # touch /etc/at.allow # chmod og-rwx /etc/cron.allow # chmod og-rwx /etc/at.allow # chown root:root /etc/cron.allow # chown root:root /etc/at.allow