IBM 10 SP1 EAL4 5.14.2 Batch processing daemons

commands that are to be executed. Information stored in this job file, along with its attributes, is used

by the atd daemon to recreate the invocation of the user’s identity while performing tasks at the

scheduled time.

5.14.2 Batch processing daemons

The cron daemon executes commands scheduled through crontab or listed in /etc/crontab for

standard system cron jobs.

The cron trusted process daemon processes users’ crontab files. The cron daemon ensures that the

system DAC policy is not violated by duplicating the login environment of the user whose crontab file is

being processed. The cron daemon depends on the crontab trusted command to create the crontab file

of each user with his or her name. The /var/spool/cron/tabs/root file contains the crontab for

root, and therefore is critical. The cron daemon also depends on the kernel’s file system subsystem to

prevent normal users from creating or modifying other users’ crontab files. The cron daemon starts

during system initialization, and generally follows these steps:

1. Sits in an infinite loop, waking up after one minute to process crontab files.

2. Sets the system’s cron jobs by reading crontab files in the directory /etc/cron.d/.

3. Sets cron jobs to be executed weekly, hourly, daily and monthly by reading their respective

crontab files from directories /etc/cron {weekly hourly daily monthly}.

4. Calls the load_database() routine to read crontab files in the /var/spool/cron/tabs

directory.

5. For every crontab file, invokes getpwnam() to get the user’s identity information.

6. For each crontab file, at the appropriate time, which is set in the file, the daemon forks a child to

execute commands listed in the crontab file. The child sets its credentials based on the user’s login

environment before executing any commands. It generates audit records to log execution of cron

jobs.

The atd is the trusted process daemon that services users’ requests for timed execution of specific tasks. The

atd ensures that the system’s DAC policy is not violated by exactly duplicating the identity for the user on

whose behalf it is performing tasks. The atd depends on the trusted command at to have appropriately

created at jobs file containing pertinent information about the user’s identity. The atd is started during

system initialization time and generally goes through these steps:

1. Attaches to the audit subsystem.

2. On a regular interval or on receiving a signal from a user looks into the /var/spool/atjobs

directory for processing jobs.

3. If an appropriate job is found, forks a child process and sets its user and group IDs to those of the

owner of the job file. Sets up standard out to go to a file. Performs the tasks listed in the job file by

executing the user’s shell and e-mails the user when the job is finished. Generates audit record to log

processing of an at job.

210