Fix permissions on /etc/{at,cron}.allow
Permissions 640 root:root doesn't allow regular user to read
/etc/{at,cron}.allow files, that changes behavior of at / crontab
commands:
* crontab command can't read /etc/cron.allow and allow any user to modify
their crontab files.
* at command can't read /etc/at.allow and deny every user.
at / crontab files have SGID bits set, so setting correct group
on /etc/{at,cron}.allow fixes the issue.
Change-Id: I4a3fc8d8e823498d6715e26307424e3065cbd6ca
diff --git a/linux/system/at.sls b/linux/system/at.sls
index a441d1a..864ae0c 100644
--- a/linux/system/at.sls
+++ b/linux/system/at.sls
@@ -33,8 +33,8 @@
- template: jinja
- source: salt://linux/files/cron_users.jinja
- user: root
- - group: root
- - mode: 0600
+ - group: daemon
+ - mode: 0640
- defaults:
users: {{ allow_users | yaml }}
- require:
diff --git a/linux/system/cron.sls b/linux/system/cron.sls
index 7f7ae0e..a5f57a4 100644
--- a/linux/system/cron.sls
+++ b/linux/system/cron.sls
@@ -33,8 +33,8 @@
- template: jinja
- source: salt://linux/files/cron_users.jinja
- user: root
- - group: root
- - mode: 0600
+ - group: crontab
+ - mode: 0640
- defaults:
users: {{ allow_users | yaml }}
- require: