Xref: utzoo comp.unix.questions:20935 comp.sys.sequent:528 Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!uunet!mcsun!ukc!strath-cs!jim From: jim@cs.strath.ac.uk (Jim Reid) Newsgroups: comp.unix.questions,comp.sys.sequent Subject: Re: Allowing users to remove files in /usr/spool/at Message-ID: <2823@baird.cs.strath.ac.uk> Date: 28 Mar 90 12:22:48 GMT References: <2409@syma.sussex.ac.uk> Sender: news@cs.strath.ac.uk Reply-To: jim@cs.strath.ac.uk Organization: Comp. Sci. Dept., Strathclyde Univ., Scotland. Lines: 31 In article <2409@syma.sussex.ac.uk> andy@syma.sussex.ac.uk (Andy Clews) writes: >I work on a Sequent Symmetry S81 running DYNIX 3.0.15. My question >could, however, apply to any UN*X box. Not so. Most System V boxes have a different at/cron system. The System V at command supports a -r option, enabling users to delete their at jobs. >Files in this directory are owned and writeable by the people who gave >the corresponding "at" command, but because /usr/spool/at can only at >present be written by root, users cannot delete their own "at" files. > >Can anyone suggest a way in which I can give this sort of access to >/usr/spool/at without compromising system security by allowing the world >to write to it? I'm a bit wary of creating a setuid'd program to do it. Well, there's no need for a setuid program at all. (Or setgid for that matter either.) Just have the user run a script to identify the appropriate shell script. All that's then needed is to delete the contents of the file. The at daemon will run the now empty file at the appointed time and then delete it. Since the user already owns the shell script, this does not require any special setuid/setgid permissions. Incidentally, the BSD at command doesn't need to be setuid anything. All it needs is to have write permission on the spool directory. Setgid to the unique group ownership of the spool directory will do fine. i.e.:- % ls -lsgd /usr/bin/at /usr/spool/at 24 ---x--s--x 1 bin at 24576 May 21 1988 /usr/bin/at 1 drwxrwxr-x 3 root at 512 Mar 28 08:00 /usr/spool/at Jim