ServerBuddies Support Blog

How to Restrict Permissions on Files Used by cron

1. Restrict the permissions on the primary system crontab file.

2. If anacron has not been removed, restrict the permissions on its primary configuration.

3. Restrict the permission on all system crontab directories:

4. Restrict the permissions on the spool directory for user crontab files.

Cron and anacron make use of a number of configuration and directories. The system crontabs need only be edited by root, and user crontabs are edited using the setuid root crontab command. If unprivileged users can modify system configuration, they may be able to gain elevated privileges, so all unnecessary access to these files should be disabled.

Configure Automatic Update Retrieval and Installation with Cron

The yum-updatesd service is not mature enough for an enterprise environment, and the service may introduce unnecessary overhead. When possible, replace this service with a cron job that calls yum directly.

Disable the yum-updatesd service:

Create the file yum.cron, make it executable, and place it in /etc/cron.daily:

This particular script instructs yum to update any packages it finds. Placing the script in
/etc/cron.daily ensures its daily execution.
To only apply updates once a week, place the script in /etc/cron.weekly instead.

Cron permissions

The following two files play an important role:

/etc/cron.allow - If this file exists, then you must be listed therein (your username must be listed) in order to be allowed to use cron jobs.

/etc/cron.deny - If the cron.allow file does not exist but the /etc/cron.deny file does exist, then you must not be listed in the /etc/cron.deny file in order to use cron jobs.

Please note that if neither of these files exists, then depending on site-dependent configuration parameters, only the super user will be allowed to use cron jobs, or all users will be able to use cron jobs.

How to setup a cron job

This tutorial covers how to setup a Cron job. Cron is a service for executing scheduled commands.

It assumes you have first logged into Virtualmin.

Click Webmin on the top-left.

Click Services.

Click Scheduled Cron Jobs.

Click Create a new scheduled cron job.

Choose the user to run as, and input the username in Execute cron job as. To run as the administrative user, input root .

Enter the command to run into the Command field. For example, if you want to receive a list of all running processes, enter ps auxw for the command.

Normally, you can skip Input to command. That’s only used if your command requires input after it begins running.

Choose how frequently to run your command. By default, it will execute Hourly, meaning it will execute at the top of the hour, every hour.

To enable the Cron job, click Create.

Any output will be emailed to the root user.

Cron is a time-based job scheduler in Unix-like computer operating systems.

cron - daemon to execute scheduled commands (Vixie Cron)

Example: the following will clear the Apache error log at one minute past midnight each day.

There is also an operator which some extended versions of cron support, the slash (’/') operator (called “step”), which can be used to skip a given number of values. For example, “*/3″ in the hour time field is equivalent to “0,3,6,9,12,15,18,21″.

So “*” specifies ‘every hour’ but the “*/3″ means only those hours divisible by 3.