Initially we wondered if we'd need to create SELinux policies to restrict this but it's much simpler than that. Cron and at support simple allow and deny files to control which users can use the commands.
/etc/cron.deny specifies which users are denied access, and /etc/cron.allow specifies which users are allowed. (For full details man crontab.)In
/etc/cron.deny we put:ALLand in
/etc/cron.allow we put:rootwhere
admina
adminb
...
admina, adminb and so on are the admin users who should have cron access. /etc/at.deny and /etc/at.allow are configured the same way.This is configured through Quattor. For now we're using the filecopy component to install the config files, but this might be a useful extension to the cron component.
No comments:
Post a Comment