• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

The Geek Diary

HowTos | Basics | Concepts

  • Solaris
    • Solaris 11
    • SVM
    • ZFS
    • Zones
    • LDOMs
    • Hardware
  • Linux
    • CentOS/RHEL 7
    • RHCSA notes
    • SuSE Linux Enterprise
    • Linux Services
  • VCS
    • VxVM
  • Interview Questions
  • oracle
    • ASM
    • mysql
    • RAC
    • oracle 12c
    • Data Guard
  • DevOps
    • Docker
    • Shell Scripting
  • Hadoop
    • Hortonworks HDP
      • HDPCA
    • Cloudera
      • CCA 131

How to block non-root user from creating crontab entry in Linux

By admin

The requirement here is that – no non-root user should be allowed to edit the crontab entries. The post describes the steps to do so. There are three ways to achieve this:

1. Disable non-root user ssh to system, which in turn disables shell login itself for a non-root user.

2. Add user name into file /etc/cron.deny, each user per line (Typical method which affect only listed users in the file).

# cat /etc/cron.deny 
oracle

The other easy workaround is to have the /etc/cron.deny file empty and add only root user name in to the file /etc/cron.allow. This allows only root user to modify/add cron entries.

Note: Make sure that there is no conflict between file /etc/cron.allow and /etc/cron.deny. Refer the post below for more information on how crontab validates the user access to cron.
UNIX / Linux : How crontab validates the access based on the cron.allow and cron.deny files

Verify the denied user with creating crontab entry. It should give you an error as shown below.

# crontab -e
You (oracle) are not allowed to use this program (crontab)
See crontab(1) for more information

3. Another aggressive approach is to remove the execute permission of crontab command. This in turn affects all non-root users capability to modify/add cron entries.
Default permissions of the file /usr/bin/crontab:

# ls -lrt /usr/bin/crontab 
-rwsr-xr-x 1 root root 51784 Jul 22  2016 /usr/bin/crontab

After removing the execute permission :

# chmod 700 /usr/bin/crontab
# ls -lrt /usr/bin/crontab 
-rwx----- 1 root root 51784 Jul 22  2016 /usr/bin/crontab
Note: Make sure you have backup of the file /usr/bin/crontab before changing its file permission. Also note, after a package upgrade or reinstall, this change will be reversed to default.

please note the default permissions of /usr/bin/crontab file before any change:

# stat /usr/bin/crontab
  File: `/usr/bin/crontab'
  Size: 51784     	Blocks: 104        IO Block: 4096   regular file
Device: fd00h/64768d	Inode: 1318020     Links: 1
Access: (4755/-rwsr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2017-09-13 09:39:27.192418684 +0530
Modify: 2016-07-22 12:50:39.000000000 +0530
Change: 2017-09-08 18:11:33.668586770 +0530

Verify denied user with creating a crontab entry:

# crontab -e
bash: /usr/bin/crontab: Permission denied

Filed Under: Linux

Some more articles you might also be interested in …

  1. CentOS / RHEL : How to delete LVM volume
  2. Linux OS Service ‘microcode_ctl’
  3. Linux OS Service ‘NetFS’
  4. CentOS / RHEL : How to setup session idle timeout (inactivity timeout) for ssh auto logout
  5. How to recover from deleted root entry in /etc/shadow and/or /etc/passwd files in CentOS / RHEL 6
  6. How to Stop Audit Log Entries Written to System Logs in CentOS/RHEL 6
  7. vncserver fails with “Starting VNC server: no displays configured”
  8. CentOS / RHEL 6 : How to disable telnet service
  9. How to enable IPv6 on CentOS / RHEL 6
  10. CentOS / RHEL : How to configure vsftpd to use ports other than the default ports 20 and 21

You May Also Like

Primary Sidebar

Recent Posts

  • How to change the default IP address of docker bridge
  • “su: Authentication failure” – in Docker
  • How to Pause and Resume Docker Containers
  • How to find docker storage device and its size (device mapper storage driver)
  • Understanding “docker stats” Command Output
  • Archives
  • Contact Us
  • Copyright

© 2019 · The Geek Diary