Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!watmath!clyde!burl!ulysses!mhuxl!houxm!hogpc!houti!ariel!vax135!cornell!uw-beaver!tektronix!hplabs!sri-unix!olympus!sauron!bob@SU-SHASTA.ARPA
From: bob@SU-SHASTA.ARPA@sauron.UUCP
Newsgroups: net.unix-wizards
Subject: Re: Bugs in the "at" command - FIX DOES WORK!!!
Message-ID: <407@sri-arpa.UUCP>
Date: Tue, 24-Jul-84 18:26:29 EDT
Article-I.D.: sri-arpa.407
Posted: Tue Jul 24 18:26:29 1984
Date-Received: Sat, 28-Jul-84 21:01:45 EDT
Lines: 30

The fix that I posted yesterday to the net to eliminate the security hole
in having "at" on System III & System V does indeed work!  Matt is wrong
in claiming that it does not work!

The security hole was that once a user had used "at" to create a spool file
in the /usr/spool/at directory they could chown it away (like, to root).
The heart of my fix is the command 'chmod 700 /usr/spool/at'.  Matt failed
to realize that this prevents users from then chowning their spool file,
/usr/spool/at/*, because they won't able to access /usr/spool/at anymore!

The "at" command and the "atrun" daemon can still access /usr/spool/at because
they run as root.  I'm reposting the fix:
-------------------------------------------------------------------------------
The fix for making "at" secure under System III & System V is to do this:
	chmod 700 /usr/spool/at
	chown root /usr/spool/at
	chmod 4755 /usr/bin/at
If your cron doesn't run as root also do:
	chmod 4755 /usr/lib/atrun
	chown root /usr/lib/atrun

The several versions of "at" that I've seen all chown the spool file to the
real UID so it's safe to make it set-uid and also prevent one from reading
files that the real UID isn't allowed to.

Note that no source changes or re-compilation is required.

Bob Toxen
Silicon Graphics
ucbvax!Shasta!olympus!bob