How to Restrict Permissions on Files Used by cron
1. Restrict the permissions on the primary system crontab file.
# chown root:root /etc/crontab
# chmod 600 /etc/crontab
# chmod 600 /etc/crontab
2. If anacron has not been removed, restrict the permissions on its primary configuration.
# chown root:root /etc/anacrontab
# chmod 600 /etc/anacrontab
# chmod 600 /etc/anacrontab
3. Restrict the permission on all system crontab directories:
# cd /etc
# chown -R root:root cron.hourly cron.daily cron.weekly cron.monthly cron.d
# chmod -R go-rwx cron.hourly cron.daily cron.weekly cron.monthly cron.d
# chown -R root:root cron.hourly cron.daily cron.weekly cron.monthly cron.d
# chmod -R go-rwx cron.hourly cron.daily cron.weekly cron.monthly cron.d
4. Restrict the permissions on the spool directory for user crontab files.
# chown root:root /var/spool/cron
# chmod -R go-rwx /var/spool/cron
# chmod -R go-rwx /var/spool/cron
Cron and anacron make use of a number of configuration and directories. The system crontabs need only be edited by root, and user crontabs are edited using the setuid root crontab command. If unprivileged users can modify system configuration, they may be able to gain elevated privileges, so all unnecessary access to these files should be disabled.
