The requirement here is that – no non-root user should be allowed to edit the crontab entries. The post describes the steps to do so. There are three ways to achieve this:
1. Disable non-root user ssh to system, which in turn disables shell login itself for a non-root user.
2. Add user name into file /etc/cron.deny, each user per line (Typical method which affect only listed users in the file).
# cat /etc/cron.deny oracle
The other easy workaround is to have the /etc/cron.deny file empty and add only root user name in to the file /etc/cron.allow. This allows only root user to modify/add cron entries.
Verify the denied user with creating crontab entry. It should give you an error as shown below.
# crontab -e You (oracle) are not allowed to use this program (crontab) See crontab(1) for more information
3. Another aggressive approach is to remove the execute permission of crontab command. This in turn affects all non-root users capability to modify/add cron entries.
Default permissions of the file /usr/bin/crontab:
# ls -lrt /usr/bin/crontab -rwsr-xr-x 1 root root 51784 Jul 22 2016 /usr/bin/crontab
After removing the execute permission :
# chmod 700 /usr/bin/crontab # ls -lrt /usr/bin/crontab -rwx----- 1 root root 51784 Jul 22 2016 /usr/bin/crontab
please note the default permissions of /usr/bin/crontab file before any change:
# stat /usr/bin/crontab File: `/usr/bin/crontab' Size: 51784 Blocks: 104 IO Block: 4096 regular file Device: fd00h/64768d Inode: 1318020 Links: 1 Access: (4755/-rwsr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2017-09-13 09:39:27.192418684 +0530 Modify: 2016-07-22 12:50:39.000000000 +0530 Change: 2017-09-08 18:11:33.668586770 +0530
Verify denied user with creating a crontab entry:
# crontab -e bash: /usr/bin/crontab: Permission denied