How cron.allow and cron.deny can be used to limit access to crontab for a particular user

In most Linux distributions, access to crontab can be control by accessing two files /etc/cron.d/cron.deny and /etc/cron.d/cron.allow. Root privileges are required to edit or create the cron.deny and cron.allow files.

How cron.allow and cron.deny used to allow access

Based on existence of /etc/cron.allow and /etc/cron.deny, user is allowed or denied to edit the crontab in below sequence.

  • If cron.allow exists - only users listed into it can use crontab
  • If cron.allow does not exist - all users except the users listed into cron.deny can use crontab
  • If neither of the file exists - only the root can use crontab
  • If a user is listed in both cron.allow and cron.deny - that user can use crontab.

Deny crontab access to a specific user

To deny crontab acccess to a user, edit the file /etc/cron.d/cron.deny as root and add the usernames for whom crontab access needs to be denied. For example:

# vi /etc/cron.d/cron.deny

Here user01 and user02 will be denied access to crontab.

Allow crontab access to a specific user

Similarly to allow crontab access to a specific user, we need to add the username in /etc/cron.d/cron.allow file. For example:

# vi /etc/cron.d/cron.allow

Here user03 and user04 will be allowed access to use the crontab.