If the /etc/cron.allow file exists, then you must be listed (one user per line) therein in order to be allowed to use this command. If the /etc/cron.allow file does not exist but the /etc/cron.deny file does exist, then you must not be listed in the /etc/cron.deny file in order to use this command.
If neither of these files exists, then depending on site-dependent configuration parameters, only the super user will be allowed to use this command, or all users will be able to use this command.
If both files exist then /etc/cron.allow takes precedence. Which means that /etc/cron.deny is not considered and your user must be listed in /etc/cron.allow in order to be able to use the crontab.
Regardless of the existence of any of these files, the root administrative user is always allowed to setup a crontab. For standard Debian systems, all users may use this command.
If the -u option is given, it specifies the name of the user whose crontab is to be used (when listing) or modified (when editing). If this option is not given, crontab examines "your" crontab, i.e., the crontab of the person executing the command. Note that su(8) can confuse crontab and that if you are running inside of su(8) you should always use the -u option for safety's sake.
The first form of this command is used to install a new crontab from some named file or standard input if the pseudo-filename ``-'' is given.
The -l option causes the current crontab to be displayed on standard output. See the note under DEBIAN SPECIFIC below.
The -r option causes the current crontab to be removed.
The -e option is used to edit the current crontab using the editor specified by the VISUAL or EDITOR environment variables. After you exit from the editor, the modified crontab will be installed automatically. If neither of the environment variables is defined, then the default editor /usr/bin/editor is used.
The -i option modifies the -r option to prompt the user for a 'y/Y' response before actually removing the crontab.
crontab -l | crontab -
non-idempotent --- you keep adding copies of the header. This causes pain to scripts that use sed to edit a crontab. Therefore, the default behaviour of the -l option has been changed to not output such header. You may obtain the original behaviour by setting the environment variable CRONTAB_NOHEADER to 'N', which will cause the crontab -l command to emit the extraneous header.
/etc/cron.allow /etc/cron.deny /var/spool/cron/crontabs
The files /etc/cron.allow and /etc/cron.deny if, they exist, must be either world-readable, or readable by group ``crontab''. If they are not, then cron will deny access to all users until the permissions are fixed.
There is one file for each user's crontab under the /var/spool/cron/crontabs directory. Users are not allowed to edit the files under that directory directly to ensure that only users allowed by the system to run periodic tasks can add them, and only syntactically correct crontabs will be written there. This is enforced by having the directory writable only by the crontab group and configuring crontab command with the setgid bid set for that specific group.
cron requires that each entry in a crontab end in a newline character. If the last entry in a crontab is missing the newline, cron will consider the crontab (at least partially) broken and refuse to install it.
The files under /var/spool/cron/crontabs are named based on the user's account name. Crontab jobs will not be run for users whose accounts have been renamed either due to changes in the local system or because they are managed through a central user database (external to the system, for example an LDAP directory).