Information
Configure /etc/at.allow to allow specific users to use this service. If /etc/at.allow does not exist, then /etc/at.deny is checked. Any user not specifically defined in this file is allowed to use at By removing the file, only users in /etc/at.allow are allowed to use at
Note: Other methods, such as systemd timers exist for scheduling jobs. If another method is used, at should be removed, and the alternate method should be secured in accordance with local site policy
On many systems, only the system administrator is authorized to schedule at jobs. Using the at.allow file to control who can run at jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files.
Solution
Run the following script to:
- Remove /etc/at.deny if it exists
- Create /etc/at.allow if it doesn't exist
- Change ownership of /etc/at.allow to the root user
- Change group ownership of /etc/at.allow to the group root
#!/usr/bin/env bash
{
if dpkg-query -W at > /dev/null 2>&1; then
l_file="/etc/at.allow"
l_mask='0137'
l_maxperm="$( printf '%o' $(( 0777 & ~$l_mask)) )"
if [ -e /etc/at.deny ]; then
echo -e " - Removing \"/etc/at.deny\""
rm -f /etc/at.deny
fi
if [ ! -e /etc/at.allow ]; then
echo -e " - creating \"$l_file\""
touch "$l_file"
fi
while read l_mode l_fown l_fgroup; do
if [ $(( $l_mode & $l_mask )) -gt 0 ]; then
echo -e " - Removing excessive permissions from \"$l_file\""
chmod u-x,g-wx,o-rwx "$l_file"
fi
if [ "$l_fown" != "root" ]; then
echo -e " - Changing owner on \"$l_file\" from: \"$l_fown\" to: \"root\""
chown root "$l_file"
fi
if [ "$l_fgroup" != "root" ]; then
echo -e " - Changing group owner on \"$l_file\" from: \"$l_fgroup\" to: \"root\""
chgrp root "$l_file"
fi
done < <(stat -Lc '%#a %U %G' "$l_file")
else
echo -e "- cron is not installed on the system, no remediation required
"
fi
}