1839238 Members
3053 Online
110137 Solutions
New Discussion

Re: cron file permission

 
jh_yang
Advisor

cron file permission

I'd like to setup the permission of /var/spool/cron/crontabs/oracle to 444 to allow everyone see oracle's cron file. But after a change to that cron file using crontab -e, the permission goes back to 400 which is the default value. Any way to make the change permenent?

Thanks
David Yang
6 REPLIES 6
Todd McDaniel_1
Honored Contributor

Re: cron file permission

The easiest way is to script it where each time you edit it, you create a oracle.orig or oracle.bak and make that 444.

or just save it out with crontab -l > oracle.bak.... Of course the Directory /var/spool/cron/crontabs is read/exe only for the owner... so you may still have problems with that.

root:/var/spool/cron/crontabs
# ls -ld
dr-x------ 2 bin bin 1024 Feb 22 22:11 .
Unix, the other white meat.
A. Clay Stephenson
Acclaimed Contributor

Re: cron file permission

This is a bad idea. It is seemingly innocent to allow someone to view a crontab BUT eventhough they can't change the crontab, now that they know what commands are run by cron on that user's behalf, they might be able to substitute their own commands in place of the ones listed in the crontab.

A better method, is to allow them to su - oracle and then do a crontab -l. What they don't have oracle's password? Then they don't need to see Oracle's crontab either.
If it ain't broke, I can fix that.
Steven E. Protter
Exalted Contributor

Re: cron file permission

If you or management wants to know what cron does when then the authorized user can publish a schedule without commands.

crontab -l >/tmp/file

edit it.
send it.

Changing permission on this file is not a good idea.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Charlie Rubeor
Frequent Advisor

Re: cron file permission

I believe that you should be able to use sudo for this. You should be able to include "crontab -l oracle" in the sudoers file for the users that need to view the oracle crontab.

Sudo is available from HPUX Porting and Archive Center.
Bill Hassell
Honored Contributor

Re: cron file permission

As mentioned, cron needs permissions set correctly for security. I would recommend using sudo for all your requirements. For the users that need to view the current crontab entry, create a list of trusted (also means knowledgeable) users, then give them ONLY the "crontab -l oracle" command. sudo will disallow any other commands aas well as disallowing any other options or usernames.


Bill Hassell, sysadmin
Jeroen Peereboom
Honored Contributor

Re: cron file permission

L.S.

why don't you add a cronjob to oracle's crontab that writes it crontab to a file readable by those you want to be able to read it.
A daily job should be sufficient, assuming oracle's crontab is not changing that much.
Something like:
0 7 * * * crontab -l > /..../oracle.cron

JP.