Here's a weird issue. I want to make crontab for a user that is read-only for that particular user and can only be managed via root. Sounds easy? Here's the catch:
$ ls -alh /var/spool/cron/my_user -r-------- 1 root root 386 May 8 15:13 /var/spool/cron/my_user
So, the file is owned/grouped for root and only has read privileges (0400) for root.
The catch:
$ su - my_user my_user~$ crontab -e (write something to the crontab) crontab: installing new crontab $ ls -alh /var/spool/cron/my_user -rw------- 1 my_user my_user 386 May 8 15:13 /var/spool/cron/my_user
So a file owned by root, with read-only privileges by root, could be read by a non-privileged user and was then modified to a 0600 (rw) and owned for that user?
What obvious catch am I missing?
crontab is setuid. So users can update their crontab.
What version of cron are you running. If you are running a version that supports putting fragements in
/etc/cron.dthen you should do that.Use the system /etc/crontab file instead of a user contab.
You could make
/var/spool/cron/my_userimmutable after you install the modifications you desire to prevent changes.sudo chattr +i /var/spool/cron/my_userYou can add the user to
/etc/cron.deny. This will deny the user access to the commandcrontaband she cannot edit her crontab anymore.AFAICT an entry in
/etc/cron.denydoes not disable the defined cronjobs.