Sun Microsystems, Inc.
spacerspacer
spacer www.sun.com docs.sun.com |
spacer
black dot
 
 
18.  Scheduling System Tasks (Tasks) Controlling Access to the crontab Command How to Deny crontab Access  Previous   Contents   Next 
   
 

How to Limit crontab Access to Specified Users

  1. Become superuser.

  2. Create the /etc/cron.d/cron.allow file.

  3. Enter the root user name into the cron.allow file.

    If you do not add root to the file, superuser access to crontab commands will be denied.

  4. Enter the user names, one per line, that will be allowed to use the crontab command. 

    root
username1
username2
username3
.
.
.

Examples--Limiting crontab Access to Specified Users

The following example shows a cron.deny file that prevents user names visitor, jones, and temp from accessing the crontab command.

$ cat /etc/cron.d/cron.denydaemon
bin
smtp
nuucp
listen
nobody
noaccess
jones
temp
visitor

The following example shows a cron.allow file. The users smith, jones, lp, and root are the only ones who can access the crontab command. 

$ cat /etc/cron.d/cron.allow
root
jones
lp
smith

How to Verify Limited crontab Access

To verify if a specific user can access crontab, use the crontab -l command while you are logged into the user account. 

$ crontab -l

If the user can access crontab, and already has created a crontab file, the file is displayed. Otherwise, if the user can access crontab but no crontab file exists, a message such as the following is displayed: 

crontab: can't open your crontab file

This user either is listed in cron.allow (if the file exists), or the user is not listed in cron.deny.

If the user cannot access the crontab command, the following message is displayed whether or not a previous crontab file exists: 

crontab: you are not authorized to use cron. Sorry.

This message means that either the user is not listed in cron.allow (if the file exists), or the user is listed in cron.deny.

Scheduling a Single System Task (at)

The following sections describe how to use the at command to schedule jobs (commands and scripts) for execution at a later time, how to display and remove these jobs, and how to control access to the at command.

By default, users can create, display, and remove their own at job files. To access at files that belong to root or other users, you must have superuser privileges.

When you submit an at job, it is assigned a job identification number along with the .a extension, which becomes the job's file name.

Description of the at Command

Submitting an at job file involves:

  1. Invoking the at utility and specifying a command execution time.

  2. Entering a command or script to execute later.

    Note - If output from this command or script is important, be sure to direct the output to a file for later examination.

For example, the following at job removes core files from the user account smith near midnight on the last day of July. 

$ at 11:45pm July 31
at> rm /home/smith/*core*
at> Press Control-d
commands will be executed using /bin/csh
job 933486300.a at Tue Jul 31 23:45:00 2001

Controlling access to the at Command

You can set up a file to control access to the at command, permitting only specified users to create, remove, or display queue information about their at jobs. The file that controls access to the at command, /etc/cron.d/at.deny, consists of a list of user names, one per line. The users listed in this file cannot access at commands.

The at.deny file, created during SunOS software installation, contains the following user names: 

daemon
bin
smtp
nuucp
listen
nobody
noaccess

With superuser privileges, you can edit the at.deny file to add other user names whose at access you want to restrict.

How to Create an at Job

  1. Start the at utility, specifying the time you want your job executed. 

    $ at [-m] time [date]

    -m

    Sends you email after the job is completed.

    time

    Hour that you want to schedule the job. Add am or pm if you do not specify the hours according to a 24-hour clock. Acceptable keywords are midnight, noon, and now. Minutes are optional.

    date

    First three or more letters of a month, a day of the week, or the keywords today or tomorrow.

  2. At the at prompt, type the commands or scripts you want to execute, one per line.

    You may enter more than one command by pressing Return at the end of each line.

  3. Exit the at utility and save the at job by pressing Control-D.

    Your at job is assigned a queue number, which is also the job's file name. This number is displayed when you exit the at utility.

Examples--Creating an at Job

The following example shows the at job that user jones created to remove her backup files at 7:30 p.m. She used the -m option so that she would receive an email message after her job completed. 

$ at -m 1930
at> rm /home/jones/*.backup
at> Press Control-D
job 897355800.a at Thu Jul  12 19:30:00 2001

She received a mail message which confirmed the execution of her at job. 

Your "at" job "rm /home/jones/*.backup"
completed.

The following example shows how jones scheduled a large at job for 4:00 a.m. Saturday morning. The job output was directed to big.file. 

$ at 4 am Saturday
at> sort -r /usr/dict/words > /export/home/jones/big.file
 		 
 
  Previous   Contents   Next