近期在做数据自动备份用到了crontab,在使用时报了”You (xxx) are not allowed to use this program (crontab)”错误,这里总结了一些排查思路

第一步: 查看crontab说明手册

通过man crontab可以得到如下说明

Running cron jobs can be allowed or disallowed for different users.  For this purpose, use the cron.allow and cron.deny files.  If the cron.allow file exists, a user must be listed in  it  to
be allowed to use cron If the cron.allow file does not exist but the cron.deny file does exist, then a user must not be listed in the cron.deny file in order to use cron.  If neither of these
files exists, only the super user is allowed to use cron.  Another way to restrict access to cron is to use PAM authentication in /etc/security/access.conf to set up users, which are  allowed
or disallowed to use crontab or modify system cron jobs in the /etc/cron.d/ directory.

从以上说明,可以执行,如果存在/etc/cron.allow,则登录账号必须在这个文件中,如果/etc/cron.allow文件不存在,则你的账号不能出现在这个地方

经过以上可以解决大部分问题,但在我的例子中,还是无法解决,尝试创建了/etc/cron.allow,并添加了测试账号,但提示

/var/spool/cron/xxx: Permission denied

于是进行第二步排查

第二步:关于文件权限

经过搜索和比对,发现/usr/bin/crontab权限不对

[nexhome@iZ94l8ny5dlZ ~]$ stat /usr/bin/crontab
  File: `/usr/bin/crontab'
  Size: 51784     	Blocks: 104        IO Block: 4096   regular file
Device: ca01h/51713d	Inode: 1058360     Links: 1
Access: (0755/-rwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)

而正常的权限如下

[nexhome@iZ94l8ny5dlZ ~]$ stat /usr/bin/crontab
  File: `/usr/bin/crontab'
  Size: 51784     	Blocks: 104        IO Block: 4096   regular file
Device: ca01h/51713d	Inode: 1058360     Links: 1
Access: (4755/-rwsr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)

于是使用chmod修改了下/usr/bin/crontab发现正常了

chmod 4755 /usr/bin/crontab

扩展

这里查了下其中的原理,原来在Unix(Linux)系统下,文件执行所需权限是依赖于euid、egid(而不是直接依赖于uid、gid,相当于做了解耦),在没有设置SUID时,这2个值等同于当前执行账号的uid和gid;而当设置了SUID时,euid、egid等同于文件所有者对应账号的uid和gid,这样相当于进行了提权操作。在系统中存在passwd、ping等命令都采用了类似特性。如下是MacOS下关于文件mode的说明

4000    (the setuid bit).  Executable files with this bit set will run with effective uid set to the uid of the file owner.  Directories with this bit set will force all
        files and sub-directories created in them to be owned by the directory owner and not by the uid of the creating process, if the underlying file system supports this
        feature: see chmod(2) and the suiddir option to mount(8).
2000    (the setgid bit).  Executable files with this bit set will run with effective gid set to the gid of the file owner.
1000    (the sticky bit).  See chmod(2) and sticky(7).
0400    Allow read by owner.
0200    Allow write by owner.
0100    For files, allow execution by owner.  For directories, allow the owner to search in the directory.
0040    Allow read by group members.
0020    Allow write by group members.
0010    For files, allow execution by group members.  For directories, allow group members to search in the directory.
0004    Allow read by others.
0002    Allow write by others.
0001    For files, allow execution by others.  For directories allow others to search in the directory.