IBM 10 SP1 EAL4 User Manual
commands that are to be executed. Information stored in this job file, along with its attributes, is used
by the
by the
atd
daemon to recreate the invocation of the user’s identity while performing tasks at the
scheduled time.
5.14.2 Batch processing daemons
5.14.2.1 cron
The cron daemon executes commands scheduled through crontab or listed in /etc/crontab for
standard system cron jobs.
The cron trusted process daemon processes users’ crontab files. The cron daemon ensures that the
The cron trusted process daemon processes users’ crontab files. The cron daemon ensures that the
system DAC policy is not violated by duplicating the login environment of the user whose crontab file is
being processed. The cron daemon depends on the crontab trusted command to create the crontab file
of each user with his or her name. The /var/spool/cron/tabs/root file contains the crontab for
root, and therefore is critical. The cron daemon also depends on the kernel’s file system subsystem to
prevent normal users from creating or modifying other users’ crontab files. The cron daemon starts
during system initialization, and generally follows these steps:
1. Sits in an infinite loop, waking up after one minute to process crontab files.
2. Sets the system’s cron jobs by reading crontab files in the directory /etc/cron.d/.
3. Sets cron jobs to be executed weekly, hourly, daily and monthly by reading their respective
2. Sets the system’s cron jobs by reading crontab files in the directory /etc/cron.d/.
3. Sets cron jobs to be executed weekly, hourly, daily and monthly by reading their respective
crontab files from directories /etc/cron {weekly hourly daily monthly}.
4. Calls the load_database() routine to read crontab files in the /var/spool/cron/tabs
directory.
5. For every crontab file, invokes getpwnam() to get the user’s identity information.
6. For each crontab file, at the appropriate time, which is set in the file, the daemon forks a child to
6. For each crontab file, at the appropriate time, which is set in the file, the daemon forks a child to
execute commands listed in the crontab file. The child sets its credentials based on the user’s login
environment before executing any commands. It generates audit records to log execution of cron
jobs.
5.14.2.2 atd
The atd is the trusted process daemon that services users’ requests for timed execution of specific tasks. The
atd ensures that the system’s DAC policy is not violated by exactly duplicating the identity for the user on
atd ensures that the system’s DAC policy is not violated by exactly duplicating the identity for the user on
whose behalf it is performing tasks. The atd depends on the trusted command at to have appropriately
created at jobs file containing pertinent information about the user’s identity. The atd is started during
system initialization time and generally goes through these steps:
1. Attaches to the audit subsystem.
2. On a regular interval or on receiving a signal from a user looks into the /var/spool/atjobs
2. On a regular interval or on receiving a signal from a user looks into the /var/spool/atjobs
directory for processing jobs.
3. If an appropriate job is found, forks a child process and sets its user and group IDs to those of the
owner of the job file. Sets up standard out to go to a file. Performs the tasks listed in the job file by
executing the user’s shell and e-mails the user when the job is finished. Generates audit record to log
processing of an at job.
executing the user’s shell and e-mails the user when the job is finished. Generates audit record to log
processing of an at job.
210