.\"
.\" $Id: cron.8,v 1.8 2004/01/23 19:03:32 vixie Exp $
.\"
-.TH CRON "8" "10 January 1996" "Linux Programmer's Manual"
+.TH CRON "8" "10 January 2007" "Linux Programmer's Manual"
.UC 4
.SH NAME
cron \- daemon to execute scheduled commands (ISC Cron V4.1)
.SH SYNOPSIS
.B cron
-.RB [ \-l
-.IR load_avg ]
-.RB [ \-n ]
-.RB [ \-p ]
-.RB [ \-m <mail command> ]
+.RB [ -n " | " -p " | " -m \fP\fI<mail command>\fP\fB ]
+.br
+.B cron
+.B -x
+.RB [ext,sch,proc,pars,load,misc,test,bit]
+.br
.SH DESCRIPTION
.I Cron
-should be started from /etc/rc.d/rc or /etc/rc.d/rc.local. It will return
-immediately, so you don't need to start it with '&'. The \-n option changes
-this default behavior causing it to run in the foreground. This can be
-useful when starting it out of init.
+should be started from
+.I /etc/rc.d/init.d
+or
+.I /etc/init.d
+. It will return immediately, so you don't need to start it with '&'.
.PP
.I Cron
-searches /var/spool/cron for crontab files which are named after accounts in
-/etc/passwd; crontabs found are loaded into memory.
+searches
+.I /var/spool/cron
+for crontab files which are named after accounts in
+.I/etc/passwd;
+crontabs found are loaded into memory.
.I Cron
-also searches for /etc/crontab and the files in the /etc/cron.d directory,
-which are in a different format (see
-.IR crontab (5)).
+also searches for
+.I /etc/crontab
+and the files in the
+.I/etc/cron.d
+directory, which are in a different format (see
+.BR crontab (5)
+).
.I Cron
then wakes up every minute, examining all stored crontabs, checking each
command to see if it should be run in the current minute. When executing
changed. Thus
.I cron
need not be restarted whenever a crontab file is modified. Note that the
-.IR Crontab (1)
+.BR crontab (1)
command updates the modtime of the spool directory whenever it changes a
crontab.
.PP
-The
-.B -m
-option allows you to specify a shell command string to use for sending
-cron mail output instead of
-.IR sendmail (8).
-This command must accept a fully
-formatted mail message (with headers) on stdin and send it as a mail
-message to the recipients specified in the mail headers.
-.PP
.SS Daylight Saving Time and other time changes
Local time changes of less than three hours, such as those caused
by the start or end of Daylight Saving Time, are handled specially.
A PAM configuration file for crond is installed in /etc/pam.d/crond.
crond loads the PAM environment from the pam_env module, but these
can be overriden by settings in the crontab file.
+.SH "OPTIONS"
+.TP
+.B "\-m"
+This option allows you to specify a shell command string to use for sending cron mail
+output instead of
+.BR sendmail (8).
+This command must accept a fully formatted mail message (with headers) on stdin and send it
+as a mail message to the recipients specified in the mail headers.
+.TP
+.B "\-n"
+This option changes default behavior causing it to run crond in the foreground. This can be
+useful when starting it out of init.
+.TP
+.B "\-p"
+Cron permit any crontab, which user set.
+.TP
+.B "\-x"
+With this option is possible to set debug flags.
.SH SIGNALS
On receipt of a \s-2SIGHUP\s+2, the cron daemon will close and reopen its
log file. This is useful in scripts which rotate and age log files.
.SH CAVEATS
In this version of
.BR cron
-, without the -p option,
-/etc/crontab must not be writable by any user other than root,
+, without the \fB-p\fP option,
+.I /etc/crontab
+must not be writable by any user other than root,
no crontab files may be links, or linked to by any other file,
and no crontab files may be executable, or be writable by any
user other than their owner.
.\"
.\" $Id: crontab.1,v 1.7 2004/01/23 19:03:32 vixie Exp $
.\"
-.TH CRONTAB 1 "29 December 1993"
+.TH CRONTAB 1 "16 Januar 2007"
.UC 4
.SH NAME
crontab \- maintain crontab files for individual users (ISC Cron V4.1)
.B crontab
.RB [ -u
.IR user ]
-.RB [ -l " | " -r " | " -e ] [ -i ]
+.RB [ -l " | " -r " | " -e ]\ [ -i ]
.RB [ -s ]
.SH DESCRIPTION
.I Crontab
is the program used to install, deinstall or list the tables
used to drive the
-.IR cron (8)
-daemon in ISC Cron. Each user can have their own crontab, and though
-these are files in /var, they are not intended to be edited directly.
+.BR cron (8)
+daemon in ISC Cron. Each user can have their own crontab, and though these are files in
+.I /var/spool/
+, they are not intended to be edited directly. For SELinux in mls mode can be even
+more crontabs - for each range. For more see
+.BR selinux (8).
.PP
If the
.I cron.allow
.I cron.allow
file does not exist but the
.I cron.deny
-file does exist, then you must \fBnot\fR be listed in the
+file does exist, then you must \fInot\fR be listed in the
.I cron.deny
file in order to use this command. If neither of these files exists,
only the super user will be allowed to use this command.
.PP
-If the
-.I -u
-option is given, it specifies the name of the user whose crontab is to be
-tweaked. If this option is not given,
+.SH "OPTIONS"
+.TP
+.B "\-u"
+It specifies the name of the user whose crontab is to be tweaked. If this option
+is not given,
.I crontab
examines "your" crontab, i.e., the crontab of the person executing the
command. Note that
-.IR su (8)
+.BR su (8)
can confuse
.I crontab
and that if you are running inside of
-.IR su (8)
+.BR su (8)
you should always use the
-.I -u
+.B -u
option for safety's sake.
-.PP
The first form of this command is used to install a new crontab from some
-named file or standard input if the pseudo-filename ``-'' is given.
-.PP
-The
-.I -l
-option causes the current crontab to be displayed on standard output.
-.PP
-The
-.I -r
-option causes the current crontab to be removed.
-.PP
-The
-.I -e
-option is used to edit the current crontab using the editor specified by
+named file or standard input if the pseudo-filename "-" is given.
+.TP
+.B "\-l"
+The current crontab will be displayed on standard output.
+.TP
+.B "\-r"
+The current crontab will be be removed.
+.TP
+.B "\-e"
+This option is used to edit the current crontab using the editor specified by
the \s-1VISUAL\s+1 or \s-1EDITOR\s+1 environment variables. After you exit
from the editor, the modified crontab will be installed automatically.
-.PP
-The
-.I -i
-option modifies the -r option to prompt the user for a 'y/Y' response
+.TP
+.B "\-i"
+This option modifies the
+.B "\-r"
+option to prompt the user for a 'y/Y' response
before actually removing the crontab.
-.PP
-The
-.I -s
-option will append the current SELinux security context string as an
-SELINUX_ROLE_TYPE setting to the crontab file before editing / replacement
-occurs - see the documentation of SELINUX_ROLE_TYPE in
-.IR crontab(5) .
+.TP
+.B "\-s"
+It will append the current SELinux security context string as an
+MLS_LEVEL setting to the crontab file before editing / replacement
+occurs - see the documentation of MLS_LEVEL in
+.BR crontab(5)\.
.SH "SEE ALSO"
crontab(5), cron(8)
.SH FILES
.\"
.\" $Id: crontab.5,v 1.6 2004/01/23 19:03:33 vixie Exp $
.\"
-.TH CRONTAB 5 "24 January 1994"
+.TH CRONTAB 5 "16 January 2007"
.UC 4
.SH NAME
crontab \- tables for driving cron (ISC Cron V4.1)
A
.I crontab
file contains instructions to the
-.IR cron (8)
-daemon of the general form: ``run this command at this time on this date''.
+.BR cron (8)
+daemon of the general form: "run this command at this time on this date".
Each user has their own crontab, and commands in any given crontab will be
executed as the user who owns the crontab. Uucp and News will usually have
their own crontabs, eliminating the need for explicitly running
-.IR su (1)
+.BR su (1)
as part of a cron command.
.PP
Blank lines and leading spaces and tabs are ignored. Lines whose first
.PP
Several environment variables are set up
automatically by the
-.IR cron (8)
+.BR cron (8)
daemon.
SHELL is set to /bin/sh, and LOGNAME and HOME are set from the /etc/passwd
line of the crontab\'s owner.
on these systems, USER will be set also.)
.PP
In addition to LOGNAME, HOME, and SHELL,
-.IR cron (8)
+.BR cron (8)
will look at MAILTO if it has any reason to send mail as a result of running
-commands in ``this'' crontab. If MAILTO is defined (and non-empty), mail is
+commands in "this" crontab. If MAILTO is defined (and non-empty), mail is
sent to the user so named. If MAILTO is defined but empty (MAILTO=""), no
mail will be sent. Otherwise mail is sent to the owner of the crontab. This
option is useful if you decide on /bin/mail instead of /usr/lib/sendmail as
usually doesn\'t read its mail.
.PP
By default, cron will send mail using the mail 'Content-Type:' header of 'text/plain' with the 'charset=' parameter set to the charmap / codeset of the locale in which
-.IR crond(8)
+.BR crond (8)
is started up - ie. either the default system locale, if no LC_* environment
variables are set, or the locale specified by the LC_* environment variables
-( see
-.IR locale(7) ).
+(see
+.BR locale (7)).
You can use different character encodings for mailed cron job output by
setting the CONTENT_TYPE and CONTENT_TRANSFER_ENCODING variables in crontabs,
to the correct values of the mail headers of those names.
.PP
-The SELINUX_ROLE_TYPE environment variable provides support for multiple per-job
+The MLS_LEVEL environment variable provides support for multiple per-job
SELinux security contexts in the same crontab.
By default, cron jobs execute with the default SELinux security context of the
user that created the crontab file.
When using multiple security levels and roles, this may not be sufficient, because
the same user may be running in a different role or at a different security level.
-You can set SELINUX_ROLE_TYPE to the SELinux security context string specifying
+For more about roles and SELinux MLS/MCS see
+.BR selinux (8)
+and undermentioned crontab example.
+You can set MLS_LEVEL to the SELinux security context string specifying
the SELinux security context in which you want the job to run, and crond will set
the execution context of the or jobs to which the setting applies to the specified
context.
See also the
-.IR crontab(1) -s option.
+.BR crontab(1)\ -s\ option.
.PP
The format of a cron command is very much the V7 standard, with a number of
upward-compatible extensions. Each line has five time and date fields,
followed by a user name if this is the system crontab file,
followed by a command. Commands are executed by
-.IR cron (8)
+.BR cron (8)
when the minute, hour, and month of year fields match the current time,
.I and
at least one of the two day fields (day of month, or day of week)
-match the current time (see ``Note'' below).
+match the current time (see "Note" below).
Note that this means that non-existent times, such as "missing hours"
during daylight savings conversion, will never match, causing jobs
scheduled during the "missing times" not to be run. Similarly, times
that occur more than once (again, during daylight savings conversion)
will cause matching jobs to be run twice.
.PP
-.IR cron (8)
+.BR cron (8)
examines cron entries once every minute.
.PP
The time and date fields are:
day of week 0-7 (0 or 7 is Sun, or use names)
.br
.PP
-A field may be an asterisk (*), which always stands for ``first\-last''.
+A field may be an asterisk (*), which always stands for "first\-last".
.PP
Ranges of numbers are allowed. Ranges are two numbers separated
with a hyphen. The specified range is inclusive. For example,
-8-11 for an ``hours'' entry specifies execution at hours 8, 9, 10
+8-11 for an "hours" entry specifies execution at hours 8, 9, 10
and 11.
.PP
Lists are allowed. A list is a set of numbers (or ranges)
-separated by commas. Examples: ``1,2,5,9'', ``0-4,8-12''.
+separated by commas. Examples: "1,2,5,9", "0-4,8-12".
.PP
Step values can be used in conjunction with ranges. Following
-a range with ``/<number>'' specifies skips of the number's value
-through the range. For example, ``0-23/2'' can be used in the hours
+a range with "<number>" specifies skips of the number's value
+through the range. For example, "0-23/2" can be used in the hours
field to specify command execution every other hour (the alternative
-in the V7 standard is ``0,2,4,6,8,10,12,14,16,18,20,22''). Steps are
-also permitted after an asterisk, so if you want to say ``every two
-hours'', just use ``*/2''.
+in the V7 standard is "0,2,4,6,8,10,12,14,16,18,20,22"). Steps are
+also permitted after an asterisk, so if you want to say "every two
+hours", just use "*/2".
.PP
-Names can also be used for the ``month'' and ``day of week''
+Names can also be used for the "month" and "day of week"
fields. Use the first three letters of the particular
day or month (case doesn't matter). Ranges or
lists of names are not allowed.
.PP
-The ``sixth'' field (the rest of the line) specifies the command to be
+The "sixth" field (the rest of the line) specifies the command to be
run.
The entire command portion of the line, up to a newline or %
character, will be executed by /bin/sh or by the shell
.I either
field matches the current time. For example,
.br
-``30 4 1,15 * 5''
+"30 4 1,15 * 5"
would cause a command to be run at 4:30 am on the 1st and 15th of each
month, plus every Friday.
-.SH EXAMPLE CRON FILE
+.SH EXAMPLE CRON FILE
+.nf
+# use /bin/sh to run commands, no matter what /etc/passwd says
+SHELL=/bin/sh
+# mail any output to `paul', no matter whose crontab this is
+MAILTO=paul
+#
+# run five minutes after midnight, every day
+5 0 * * * $HOME/bin/daily.job >> $HOME/tmp/out 2>&1
+# run at 2:15pm on the first of every month -- output mailed to paul
+15 14 1 * * $HOME/bin/monthly
+# run at 10 pm on weekdays, annoy Joe
+0 22 * * 1-5 mail -s "It's 10pm" joe%Joe,%%Where are your kids?%
+23 0-23/2 * * * echo "run 23 minutes after midn, 2am, 4am ..., everyday"
+5 4 * * sun echo "run at 5 after 4 every sunday"
+.fi
+.SH SELinux with multi level security (MLS)
+In crontab is important specified security level by \fIcrontab\ -s\fR or specifying
+the required level on the first line of the crontab. Each level is specified
+in \fI/etc/selinux/targeted/seusers\fR. For using crontab in MLS mode is really important:
+.br
+- check/change actual role,
+.br
+- set correct \fIrole for directory\fR, which is used for input/output.
+.SH EXAMPLE FOR SELINUX MLS
.nf
-# use /bin/sh to run commands, no matter what /etc/passwd says
-SHELL=/bin/sh
-# mail any output to `paul', no matter whose crontab this is
-MAILTO=paul
-#
-# run five minutes after midnight, every day
-5 0 * * * $HOME/bin/daily.job >> $HOME/tmp/out 2>&1
-# run at 2:15pm on the first of every month -- output mailed to paul
-15 14 1 * * $HOME/bin/monthly
-# run at 10 pm on weekdays, annoy Joe
-0 22 * * 1-5 mail -s "It's 10pm" joe%Joe,%%Where are your kids?%
-23 0-23/2 * * * echo "run 23 minutes after midn, 2am, 4am ..., everyday"
-5 4 * * sun echo "run at 5 after 4 every sunday"
+# login as root
+newrole -r sysadm_r
+mkdir /tmp/SystemHigh
+chcon -l SystemHigh /tmp/SystemHigh
+crontab -e
+# write in crontab file
+MLS_LEVEL=SystemHigh
+0-59 * * * * id -Z > /tmp/SystemHigh/crontest
+Now if I log in as a normal user it can't work, because /tmp/SystemHigh is
+higher than my level.
.fi
.SH FILES
-/etc/crontab System crontab file
-
-.SH SEE ALSO
-cron(8), crontab(1)
+.I /etc/crontab
+system crontab file
+.SH "SEE ALSO"
+.BR cron (8),
+.BR crontab (1)
.SH EXTENSIONS
When specifying day of week, both day 0 and day 7 will be considered Sunday.
BSD and ATT seem to disagree about this.
.fi
.SH CAVEATS
In this version of
-.BR cron ,
-/etc/crontab must not be writable by any user other than root.
+.I cron
+,
+.I /etc/crontab
+must not be writable by any user other than root.
No crontab files may be links, or linked to by any other file.
No crontab files may be executable, or be writable by any user
other than their owner.
projects / cronie / commitdiff