New tasks about restricting the cron and at daemons

cwickert · cwickert · commit cf5f9d378cda · 2021-11-26T14:19:45.000+01:00
diff --git a/DC-task-restrict-at b/DC-task-restrict-at
@@ -0,0 +1,12 @@
+# This file originates from the project https://github.com/openSUSE/doc-kit
+# This file can be edited downstream.
+
+MAIN="task-restrict-at.xml"
+ROOTID="task-restrict-at"
+
+PROFCONDITION="suse-product"
+#PROFCONDITION="suse-product;beta"
+#PROFCONDITION="community-project"
+
+STYLEROOT="/usr/share/xml/docbook/stylesheet/suse2021-ns"
+FALLBACK_STYLEROOT="/usr/share/xml/docbook/stylesheet/suse-ns"
diff --git a/DC-task-restrict-cron b/DC-task-restrict-cron
@@ -0,0 +1,12 @@
+# This file originates from the project https://github.com/openSUSE/doc-kit
+# This file can be edited downstream.
+
+MAIN="task-restrict-cron.xml"
+ROOTID="task-restrict-cron"
+
+PROFCONDITION="suse-product"
+#PROFCONDITION="suse-product;beta"
+#PROFCONDITION="community-project"
+
+STYLEROOT="/usr/share/xml/docbook/stylesheet/suse2021-ns"
+FALLBACK_STYLEROOT="/usr/share/xml/docbook/stylesheet/suse-ns"
diff --git a/xml/task-restrict-at.xml b/xml/task-restrict-at.xml
@@ -0,0 +1,229 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- This file originates from the project https://github.com/openSUSE/doc-kit -->
+<!-- This file can be edited downstream. -->
+
+<?xml-stylesheet href="urn:x-suse:xslt:profiling:docbook51-profile.xsl"
+ type="text/xml"
+ title="Profiling step"?>
+<!DOCTYPE article
+[
+  <!ENTITY % entities SYSTEM "generic-entities.ent">
+    %entities;
+]>
+
+<!--metadata
+ * product(s): SLES, SLED, SLE-HA, SLES-SAP, SLE-HPC, SLE-RT
+ * product version(s): 15 SP3, 15 SP2, 15 GA
+ * topic category/ies: system administration, security
+ * target group(s): system administrators
+ * initially published: ?
+ * last modified: 2021-11-26 -->
+ 
+<article xml:id="task-restrict-at" xml:lang="en"
+ role="task"
+ xmlns="http://docbook.org/ns/docbook" version="5.1"
+ xmlns:its="http://www.w3.org/2005/11/its"
+ xmlns:xi="http://www.w3.org/2001/XInclude"
+ xmlns:xlink="http://www.w3.org/1999/xlink">
+
+ <info>
+  <title>Restricting the <systemitem class="daemon">at</systemitem> scheduler</title>
+   <dm:docmanager xmlns:dm="urn:x-suse:ns:docmanager">
+    <dm:bugtracker>
+     <dm:url>https://bugzilla.suse.com/enter_bug.cgi</dm:url>
+     <dm:component>Smart Docs</dm:component>
+     <dm:product>Documentation</dm:product>
+     <dm:assignee>cwickert@suse.com</dm:assignee>
+    </dm:bugtracker>
+    <dm:translation>no</dm:translation>
+   </dm:docmanager>
+ </info>
+
+ <section xml:id="environment-restrict-at">
+ <title>Environment</title>
+  <para>This document applies to the following products and product versions:</para>
+  <itemizedlist>
+  <listitem>
+   <para>&sles;&nbsp;15&nbsp;SP3, 15&nbsp;SP2, 15&nbsp;SP1, 15&nbsp;GA, 12&nbsp;SP5, 12&nbsp;SP4, 12&nbsp;SP3</para>
+  </listitem>
+  <listitem>
+   <para>&sles4sap;&nbsp;15&nbsp;SP3, 15&nbsp;SP2, 15&nbsp;SP1, 15&nbsp;GA, 12&nbsp;SP5, 12&nbsp;SP4, 12&nbsp;SP3</para>
+  </listitem>
+  <listitem>
+   <para>&sleha;&nbsp;15&nbsp;SP3, 15&nbsp;SP2, 15&nbsp;SP1, 15&nbsp;GA, 12&nbsp;SP5, 12&nbsp;SP4, 12&nbsp;SP3</para>
+  </listitem>
+  <listitem>
+   <para>&slehpc;&nbsp;15&nbsp;SP3, 15&nbsp;SP2, 15&nbsp;SP1, 15&nbsp;GA</para>
+  </listitem>
+  <listitem>
+   <para>&sled;&nbsp;15&nbsp;SP3, 15&nbsp;SP2, 15&nbsp;SP1, 15&nbsp;GA, 12&nbsp;SP5, 12&nbsp;SP4, 12&nbsp;SP3</para>
+  </listitem>
+  <listitem>
+   <para>&slert;&nbsp;15&nbsp;SP3, 15&nbsp;SP2, 15&nbsp;SP1, 15&nbsp;GA, 12&nbsp;SP5, 12&nbsp;SP4, 12&nbsp;SP3</para>
+  </listitem>
+ </itemizedlist>
+</section>
+
+ <section xml:id="introduction-restrict-at">
+  <title>Introduction</title>
+  <para>
+   The <systemitem class="daemon">at</systemitem> job execution system allows
+   users to schedule one-time running jobs. The <filename>at.allow</filename>
+   file specifies a list of users that are allowed to schedule jobs via
+   <systemitem class="daemon">at</systemitem>. The file does not exist by
+   default, so all users can schedule <systemitem class="daemon">at</systemitem>
+   jobs&mdash;except for those listed in <filename>at.deny</filename>)
+  </para>
+ </section>
+
+ <section xml:id="requirements-restrict-at">
+  <title>Requirements</title>
+  <itemizedlist>
+   <listitem>
+    <para>
+     You have installed your product and your system is up and running.
+    </para>
+   </listitem>
+   <listitem>
+    <para>
+     The <package>at</package> package is installed. If not, run
+     <command>zypper in at</command> to install it.
+    </para>
+   </listitem>
+  </itemizedlist>
+  <!-- cwickert 2021-10-05: No idea why the template contains another <para> here. 
+  <para>
+   A paragraph of text.
+  </para>
+  -->
+ </section>
+
+ <section xml:id="restrict-at">
+  <title>Restrict access to the <systemitem class="daemon">at</systemitem> scheduler</title>
+  <!-- cwickert 2021-10-05: No idea why the template has two introductions, one
+   before and one at the beginning of the procedure. 
+  <para>
+   To prevent users except for root from scheduling jobs with <systemitem
+    class="daemon">at</systemitem>, perform the following steps.
+  </para>
+  -->
+  <procedure>
+   <para>
+    To prevent users except for &rootuser; from scheduling jobs with <systemitem
+     class="daemon">at</systemitem>, perform the following steps.
+   </para>
+   <step>
+    <para>
+     Create an empty file <filename>/etc/at.allow</filename>:
+    </para>
+<screen>&prompt.sudo;<command>touch</command> /etc/at.allow</screen>
+   </step>
+   <step>
+    <para>
+     Allow users to schedule jobs with <systemitem
+      class="daemon">at</systemitem> by adding their usernames to the file:
+    </para>
+<screen>&prompt.sudo;<command>echo</command> "&exampleuser_plain;" >> /etc/at.allow</screen>
+   </step>
+   <step>
+    <para>
+     To verify, try scheduling a job as non-root user listed in
+     <filename>at.allow</filename>:
+    </para>
+<screen>&prompt.user;<command>at 00:00</command>
+at></screen>
+    <para>
+     Quit the <systemitem class="daemon">at</systemitem>prompt with
+     <keycombo><keycap function="control"/><keycap>C</keycap></keycombo> and
+     try the same with a user <emphasis>not</emphasis> listed in
+     <filename>/etc/at.allow</filename> (or before adding them the file in step
+     2 of this procedure):
+    </para>
+<screen>&prompt.user2;<command>at 00:00</command>
+You do not have permission to use at.</screen>
+   </step>
+  </procedure>
+ </section>
+
+ <section xml:id="summary-restrict-at">
+  <title>Summary</title>
+  <para>
+   You have now restricted scheduling jobs with <systemitem
+    class="daemon">at</systemitem> for non-root users.
+  </para>
+ </section>
+ 
+ <section xml:id="troubleshooting-restrict-at">
+  <title>Troubleshooting</title>
+  <para>When implementing <filename>/etc/at.allow</filename>, there are
+   basically just two problems that can occur:
+  </para>
+  <variablelist>
+   <varlistentry>
+    <term>A user <emphasis>can</emphasis> schedule a job with <systemitem
+     class="daemon">at</systemitem> although they should
+     <emphasis>not</emphasis>.</term>
+    <listitem>
+     <para>
+      Check that the username in <filename>/etc/at.allow</filename> matches
+      the actual username.
+     </para>
+    </listitem>
+   </varlistentry>
+   <varlistentry>
+    <term>A user can <emphasis>not</emphasis> schedule a job with <systemitem
+     class="daemon">at</systemitem> jobs although they
+     <emphasis>should</emphasis>.</term>
+    <listitem>
+     <para>
+      If the user is correctly listed in <filename>/etc/at.allow</filename>
+      but cannot schedule <systemitem class="daemon">at</systemitem> jobs,
+      check if they are also listed in <filename>/etc/at.deny</filename>. If
+      the user appears in both files, <filename>/etc/at.deny</filename> wins.
+      Remove the user from the file to allow them to schedule <systemitem
+       class="daemon">at</systemitem> jobs.
+     </para>
+    </listitem>
+   </varlistentry>
+  </variablelist>
+ </section>
+
+ <section xml:id="next-restrict-at">
+  <title>Next steps</title>
+  <itemizedlist>
+   <listitem>
+    <para>
+     <systemitem class="daemon">at</systemitem> is not widely used anymore.
+     If you do not have valid use cases, consider uninstalling the daemon instead
+     of just restricting its access.
+    </para>
+   </listitem>
+   <listitem>
+    <para>
+     To further improve security, also consider restricting access to the
+     <systemitem class="daemon">cron</systemitem> daemon.
+    </para>
+   </listitem>
+  </itemizedlist>
+ </section>
+
+ <section xml:id="related-restrict-at">
+  <title>Related topics</title>
+  <itemizedlist>
+   <listitem>
+    <para>
+     Restricting the <systemitem class="daemon">at</systemitem> scheduler
+     <!-- cwickert 2021-10-05: Once we can link smartdocs, use this link instead
+     <xref linkend="task-restrict-at"/> -->
+    </para>
+   </listitem>
+   <listitem>
+    <para>
+     <link xlink:href="https://documentation.suse.com/smart/linux/html/task-create-systemd-timers/">Create &systemd; timers</link>
+     <!-- cwickert 2021-10-05: Once we can link smartdocs, use this link instead
+     <xref linkend="task-create-systemd-timers"/> -->
+    </para>
+   </listitem>
+  </itemizedlist>
+ </section>
+</article>
diff --git a/xml/task-restrict-cron.xml b/xml/task-restrict-cron.xml
