LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 12-20-2005, 09:58 AM   #1
mattengland
Member
 
Registered: Nov 2004
Location: Chicago, IL USA
Posts: 42

Rep: Reputation: 15
Best practices for creating a crontab-only account?


I want to run at least one cron job that does not require root or any other special privileges. I therefore want to create a user account (named "cronjobs") whose sole purpose is to run crontab entries.

What's the best way to do this to ensure the best security (at least on my Redhat9 system)?

(I'm sure this is a general faq asking about how to "lock down" accounts like this is general...but I could not find answers anywhere in my brief search.)

Here's what I've come up with thus far, as a cmdline procedure (run as root):

Code:
useradd -s /dev/null cronjobs
rm -rf /home/cronjobs
passwd -d cronjobs
echo 'DenyUsers cronjobs' >> /etc/ssh/sshd_config
service sshd reload
crontab -u cronjobs -e  # Edit the crontab
Is this a valid approach? Am I missing anything?

Specific question:

Does the 'passwd -d' effectively deny any password-based logins? (The manpage on my RH9 system is a little ambiguous.)

-Matt
 
Old 12-20-2005, 10:07 AM   #2
mattengland
Member
 
Registered: Nov 2004
Location: Chicago, IL USA
Posts: 42

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by mattengland
Code:
passwd -d cronjobs
Oops, this allows anyone to become 'cronjobs' (at least on my RH9 system), and that was definitely not what I intended.

How does one make a bogus password without just having to make up some random password?

Also, does 'passwd -l cronjobs' serve any purpose here other then disallowing password changes?

-Matt
 
Old 12-20-2005, 09:15 PM   #3
zhizaki
Member
 
Registered: Sep 2005
Location: Austin, TX
Distribution: Slackware
Posts: 31

Rep: Reputation: 15
This may not be totally true, but I think it is. One effective way to prevent people from logging is as this user, is to remove the shell in passwd. Change it from /bin/bash to something like /bin/false. This prevents a shell from spawning when someone attempts to login as that user. You should still be able to run scripts, but I don't believe that you could use scp or ssh with the account from another box.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
creating a guest account tardigrade Linux - General 2 02-04-2005 03:33 PM
creating user account Robin01 Linux - Newbie 2 01-25-2004 01:17 PM
Creating A Root Account qcoder Linux - General 9 10-15-2003 03:05 AM
Creating a Jabber account with Gaim Lossenelin Linux - Software 0 09-28-2003 05:05 AM
KPPP Creating a account.. PLS HELP RedMandrake Linux - Networking 1 09-16-2002 04:03 PM


All times are GMT -5. The time now is 03:25 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration