New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Restricting user for cron commands
So, I have interesting job to create cronjob management system for server users. Example:
john
dave
lucas
....
Wondering, how to prevent those users to run something like this in CRON:
* * * * * "rm -rf /"
I need to limit their access only to php, cURL and wget.
Comments
If a user can do damage using
rm, limiting the user towgetor similar doesn't change much.Just only expose the commands to users you want to allow.
Obviously there's nothing that prevents a user from writing a PHP script that loops over the filesystem and unlink it.
But then again,
rm -rf /should ever only screw their own account, right?Fair point. Than how to limit user just to particular set of commands?
I had intended to say "Why not Google it yourself?",
but after Googling manually, I found this is an interesting question.
How to limit user commands in Linux [closed]
I wouldn't focus too much on (shell) commands, but on capabilities, so would use something like
firejailto restrict what the user can do.If other options fail, programming a wrapper for cron may be an option. Give users access to edit a cron-like text file in the home directory, then have root's cron
suto the user and run allowed commands in their file.As others noted though, if a user does something destructive, it only ruins directories they have write permissions. That's why we have users & permissions.
Does anyone have a clue how Directadmin handles user access? It is some sort of a jail (not cagefs).