Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 12-20-2005, 10:58 AM   #1
Registered: Nov 2004
Location: Chicago, IL USA
Posts: 42

Rep: Reputation: 15
Best practices for creating a crontab-only account?

I want to run at least one cron job that does not require root or any other special privileges. I therefore want to create a user account (named "cronjobs") whose sole purpose is to run crontab entries.

What's the best way to do this to ensure the best security (at least on my Redhat9 system)?

(I'm sure this is a general faq asking about how to "lock down" accounts like this is general...but I could not find answers anywhere in my brief search.)

Here's what I've come up with thus far, as a cmdline procedure (run as root):

useradd -s /dev/null cronjobs
rm -rf /home/cronjobs
passwd -d cronjobs
echo 'DenyUsers cronjobs' >> /etc/ssh/sshd_config
service sshd reload
crontab -u cronjobs -e  # Edit the crontab
Is this a valid approach? Am I missing anything?

Specific question:

Does the 'passwd -d' effectively deny any password-based logins? (The manpage on my RH9 system is a little ambiguous.)

Old 12-20-2005, 11:07 AM   #2
Registered: Nov 2004
Location: Chicago, IL USA
Posts: 42

Original Poster
Rep: Reputation: 15
Originally Posted by mattengland
passwd -d cronjobs
Oops, this allows anyone to become 'cronjobs' (at least on my RH9 system), and that was definitely not what I intended.

How does one make a bogus password without just having to make up some random password?

Also, does 'passwd -l cronjobs' serve any purpose here other then disallowing password changes?

Old 12-20-2005, 10:15 PM   #3
Registered: Sep 2005
Location: Austin, TX
Distribution: Slackware
Posts: 31

Rep: Reputation: 15
This may not be totally true, but I think it is. One effective way to prevent people from logging is as this user, is to remove the shell in passwd. Change it from /bin/bash to something like /bin/false. This prevents a shell from spawning when someone attempts to login as that user. You should still be able to run scripts, but I don't believe that you could use scp or ssh with the account from another box.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
creating a guest account tardigrade Linux - General 2 02-04-2005 04:33 PM
creating user account Robin01 Linux - Newbie 2 01-25-2004 02:17 PM
Creating A Root Account qcoder Linux - General 9 10-15-2003 04:05 AM
Creating a Jabber account with Gaim Lossenelin Linux - Software 0 09-28-2003 06:05 AM
KPPP Creating a account.. PLS HELP RedMandrake Linux - Networking 1 09-16-2002 05:03 PM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:26 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration