HPE Community
Operating System - HP-UX
1821051 Members
2504 Online
109631 Solutions
New Discussion юеВ

cron file permission

 
jh_yang
Advisor

тАО02-26-2004 08:26 AM

тАО02-26-2004 08:26 AM

cron file permission

I'd like to setup the permission of /var/spool/cron/crontabs/oracle to 444 to allow everyone see oracle's cron file. But after a change to that cron file using crontab -e, the permission goes back to 400 which is the default value. Any way to make the change permenent?

Thanks
David Yang
0 Kudos
Reply
6 REPLIES 6
Todd McDaniel_1
Honored Contributor

тАО02-26-2004 08:34 AM

тАО02-26-2004 08:34 AM

Re: cron file permission

The easiest way is to script it where each time you edit it, you create a oracle.orig or oracle.bak and make that 444.

or just save it out with crontab -l > oracle.bak.... Of course the Directory /var/spool/cron/crontabs is read/exe only for the owner... so you may still have problems with that.

root:/var/spool/cron/crontabs
# ls -ld
dr-x------ 2 bin bin 1024 Feb 22 22:11 .
Unix, the other white meat.
0 Kudos
Reply
A. Clay Stephenson
Acclaimed Contributor

тАО02-26-2004 08:40 AM

тАО02-26-2004 08:40 AM

Re: cron file permission

This is a bad idea. It is seemingly innocent to allow someone to view a crontab BUT eventhough they can't change the crontab, now that they know what commands are run by cron on that user's behalf, they might be able to substitute their own commands in place of the ones listed in the crontab.

A better method, is to allow them to su - oracle and then do a crontab -l. What they don't have oracle's password? Then they don't need to see Oracle's crontab either.
If it ain't broke, I can fix that.
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО02-26-2004 08:43 AM

тАО02-26-2004 08:43 AM

Re: cron file permission

If you or management wants to know what cron does when then the authorized user can publish a schedule without commands.

crontab -l >/tmp/file

edit it.
send it.

Changing permission on this file is not a good idea.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Charlie Rubeor
Frequent Advisor

тАО02-26-2004 08:46 AM

тАО02-26-2004 08:46 AM

Re: cron file permission

I believe that you should be able to use sudo for this. You should be able to include "crontab -l oracle" in the sudoers file for the users that need to view the oracle crontab.

Sudo is available from HPUX Porting and Archive Center.
0 Kudos
Reply
Bill Hassell
Honored Contributor

тАО02-26-2004 11:41 AM

тАО02-26-2004 11:41 AM

Re: cron file permission

As mentioned, cron needs permissions set correctly for security. I would recommend using sudo for all your requirements. For the users that need to view the current crontab entry, create a list of trusted (also means knowledgeable) users, then give them ONLY the "crontab -l oracle" command. sudo will disallow any other commands aas well as disallowing any other options or usernames.


Bill Hassell, sysadmin
0 Kudos
Reply
Jeroen Peereboom
Honored Contributor

тАО02-26-2004 05:36 PM

тАО02-26-2004 05:36 PM

Re: cron file permission

L.S.

why don't you add a cronjob to oracle's crontab that writes it crontab to a file readable by those you want to be able to read it.
A daily job should be sufficient, assuming oracle's crontab is not changing that much.
Something like:
0 7 * * * crontab -l > /..../oracle.cron

JP.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.