Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hello. I am transitioning from a system that used Solaris to one that uses a Linux flavor (CentOS). For the Solaris system, I was not an administrator, but will be for the Linux system. In order to run cron jobs, our users had to "su" to a role (not account) that was set-up to run cron jobs. Individual accounts were not permitted to run cron jobs, one reason being if someone left, the system continued to run after the account was disabled.
What is the similar paradigm in Linux? Do I create a no login user/no ssh user, where users can only "su" to this account? Something else? Thanks.
It's up to you. Personally, I let my users set up cron jobs on their own accounts, I really don't see the harm in it. If you're going to go to the trouble of disabling the user's account when they leave, why not just comment out their cron entries at the same time? It takes all of five seconds. I assume you would be commenting out their entries on this dedicated cron account anyway, right? So what's the difference?
Going through the hassle of setting up a dedicated user just for running cron jobs, and the hassle of your users having to use this special account for all cron jobs (what if they need a job run in their home directory? Aren't permissions a nightmare?) just seems like a roundabout "solution" to a non-existent problem to me. *shrug*
Last edited by suicidaleggroll; 12-19-2014 at 04:44 PM.
In this particular case "best practice" is what the site decides.
In one instance where I worked, there was a designated production user. The account itself couldn't be logged in, BUT staff users that were authorized to use the account could get logged by first authenticating via Kerberos, then they could their personal credentials to remotely login to the account.
In this way, we had control over the account, and audit logs of who, when, and from where, they logged in. Without Kerberos, there is no auditing of who is getting logged in. sudo can SORT of do it, but not all information can be recorded (specifically, the "from where").
ssh logins using RSA can also sort of do it... but it then depends on the security of the users workstation to protect the private keys...
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.