The cron scheduled task can be executed by both root users and non-root users by default. Of course, if you want to disable this part of users in terms of security, you can solve it through two files:
- cron.allow
- cron.deny
cron.allow: defines users who are allowed to use crontab commands
cron.deny: defines users who are denied access to crontab commands
These two files have priority. When ordinary users execute the crontab command,
1. The system first checks whether the cron.allow file exists; if it exists, it checks whether there is a current user among the users existing in the file. If the check passes, the execution starts. The detection does not directly prompt that the user does not have execute permission
2. When the system does not detect the existence of the cron.allow file, then check the cron.deny file next to see if the current user is denied. If the user currently running crontab is not detected in the cron.deny file, the The command can be successfully executed. If it is detected that the user is in the cron.deny file, it will directly prompt that the user does not have execution permission.
Case 1: Only root and www users are allowed to execute the crontab command, other users are forbidden to execute it
on the host where the policy needs to be defined:
echo “www” > /etc/cron.allow
Case 2: Only the anonymous user is denied to execute the crontab command, other users can execute the command:
rm -f /etc/cron.allow
echo “anonymous” > /etc/cron.deny