Controlling Access to the cron and at Commands
Controlling Access to the cron and at CommandsScheduling is so powerful that most administrators don't necessarily want their users to be able to have complete access to the cron and at commands. As an administrator, you can control access to these commands on your FreeBSD system. Let's say, for instance, you have a troublesome user who insists on running an IRC "eggdrop" bot, and every time you kill the process, it keeps coming back because the user has set up a crontab file to restart the process if it's not running (checking every hour, for example). The user doesn't respond to email. Your options are either to disable the user's account (always a possibility, unless the person is your brother-in-law or something) or to restrict the user's access to the cron and at commands. You can restrict the user's access through the deny and allow files for both programs. The /var/cron/allow and /var/cron/deny don't exist in the default FreeBSD installation. In this condition, anybody is allowed to create crontab files. If you create /var/cron/allow, the only users (aside from root) who can create crontab files are the ones you listed in it (in a simple text list, one user per line). Alternatively, you can put users into /var/cron/deny. This approach lets everyone create crontab files, except for the ones listed in the file. If both files exist, /var/cron/allow takes precedence. The /var/at/at.allow and /var/at/at.deny files work the same way, but the filenames are slightly different, so take note! Caution Be sure that these config files, if you create them, are writable only by root; issue chown root/var/cron/allow and chmod 600 /var/cron/allow commands if they are not. |
