Tuesday, 23 April 2013

In depth cron access control for AIX


AIX controls cron access with the cron.allow and cron.deny files.   This posting will take a look in to how these files work and some potential issues you might run in to.

The cron.allow and cron.deny files are located under the /var/adm/cron directory.   In each file you list one user name per line.  

There are two main approaches that you can take to restricting access to cron.   You can use the cron.allow file, which works as a whitelist of users who are allowed to use cron.   Anyone listed in cron.allow is permitted to use cron, and anyone not explicitly listed in cron.allow is not permitted to use cron.  If the cron.allow file exists then it will enable this whitelist mode.

The other option is using the cron.deny file which works as a blacklist of users who are not allowed to use cron.  All users that are not listed in cron.deny are permitted to use cron (unless a cron.allow file exists, in which case only users listed in cron.allow will be able to use cron.)

By default when you install AIX there is just an empty cron.deny file (no cron.allow file exists by default).   This essentially allows all users access to cron by default.

This all seems pretty straight forward, but there are a couple of potential issues or unexpected results that you might run in to when working with cron access control:

If neither the cron.allow or cron.deny files exist:   Then only the root user will have access to crontab.   Other users will not be able to run crontab, however any of their existing cron jobs will still be run by cron (not what I expected).  

If a user is listed in both cron.allow and cron.deny:   The user will still have access to crontab and their cron jobs will continue to run (not what I would have expected).   This also goes against what is in the AIX documentation.

If a user is added to cron.deny or removed from cron.allow after they already had cron jobs setup:  Their existing cron jobs will no longer be run by cron until cron.allow/cron.deny are changed to permit them access, at which time their cron jobs will start running again.

If the cron.allow exists and root is not listed in it:  You can and will lock root out of cron.   Always list root in the cron.allow file if it exists.  

If a user account is locked (account_locked=true):   This has no effect on cron.   The user's cron jobs will continue to run

If cron.allow/cron.deny are correctly setup to give the user cron access but they are still denied access to cron:    Check the users "daemon" attribute (lsuser -a daemon <user>).   If daemon is set to false for a user, they will not be able to use cron.   This setting can be changed by running "chuser daemon=true <user>"

Obviously some of this behavior might differ between different AIX releases/updates, so you will want to do your own testing on your system to verify.  

Please post a comment if you have run in to other unexpected or weird issues with cron access control.   

0 blogger-disqus:

Post a comment