[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [SAGE] crontabs vs /etc/cron.[daily,hourly,*] vs. /etc/cron.d/

To: adamm@xxxxxxxxx
Subject: Re: [SAGE] crontabs vs /etc/cron.[daily,hourly,*] vs. /etc/cron.d/
From: Richard Chycoski <rskiadmin@xxxxxxxxxxxx>
Date: Thu, 10 Jan 2008 10:51:21 -0800
Authentication-results: sj-dkim-3; header.From=rskiadmin@xxxxxxxxxxxx; dkim=neutral
Cc: sage-members@xxxxxxxxxx
In-reply-to: <20080110134712.BEDB866C04F@xxxxxxxxxxxxxxxxxxxxx>
References: <20080110134712.BEDB866C04F@xxxxxxxxxxxxxxxxxxxxx>
Reply-to: rskiadmin@xxxxxxxxxxxx
Sender: owner-sage-members@xxxxxxxxxx
User-agent: Thunderbird 2.0.0.0 (Windows/20070326)

In our environments that have not yet been transitioned to bettercentralised batch control tools (we're working towards eventuallyeliminating cron entirely), we have 'generic' user accounts that areaccessible only via sudo that contain cron jobs for specific applicationareas. This gives us user-level security (users can't run jobs as root orany other user) and accountability (sudo logs tell us who's messing with thegeneric accounts) while still being able to delegate responsibility toapplication teams. It does mean that applications support people can (andoccasionally do) mess up a crontab, but it doesn't happen often becausethey're generally careful - and know that we have the logs. :-)

Individual users can create crontabs of their own on many of theshared-resource machines in the Engineering environment, but not on most ofthe Corporate servers. They can also create them on their desktops orlaptops. These policies are getting tighter over time.

'System' crons still run either from root's crontab or the /etc/cron*directories, depending on the OS.

It's a compromise that generally works for the thousands of servers and tensof thousands of desktops/laptops that run Unix/Linux in our environment.Eventually eliminating cron on all of the servers in the data centres is ourgoal to provide better reliability, control, monitoring, and accountability.

Desktops aren't such an issue for us and may stay with cron, but that willbe an issue for our desktop services and OS support people to decide.


- Richard


Adam Moskowitz wrote:

"Gary Richardson" <gary.richardson@xxxxxxxxx> wrote:

I think the per user crontabs should be avoided. . . . I'm sure we've all
had instances where critical crontabs stop running after an account is
disabled when an employee leaves.


While I tend to agree that, for "operational" processes, user crontabs
should be avoided, I do not agree with Gary's reasoning. Having a critical
process run out of an individual user's crontab is bad, this is not a
technical problem and does not require a technical solution. In other
words, even if user crontabs are available, don't use them for
operational processes, document that such use is prohibited, and enforce
this via managerial means.

In situations where even sysadmins shouldn't be running cron jobs on
production systems then there's probably no good reason for even
providing user crontabs. However, in lots of other situations, giving
users (sysadmins and others) access to cron for their personal use is
often a valuable thing. I don't think this should be prohibited simply
because some people abuse the mechanism.

In other words, abuse should not dictate (or deny) use.

AdamM

References:
- Re: [SAGE] crontabs vs /etc/cron.[daily,hourly,*] vs. /etc/cron.d/
  - From: Adam Moskowitz

Prev by Date: [SAGE] Websense implementations on Linux
Next by Date: Re: [SAGE] Websense implementations on Linux
Previous by thread: Re: [SAGE] crontabs vs /etc/cron.[daily,hourly,*] vs. /etc/cron.d/
Next by thread: Re: [SAGE] crontabs vs /etc/cron.[daily,hourly,*] vs. /etc/cron.d/
Index(es):
- Date
- Thread