at files and permissions

R.HUTCHISON hutch at lzaz.ATT.COM
Wed Jul 5 23:14:32 AEST 1989 

>From article <1894 at cbnewsh.ATT.COM>, by bgt at cbnewsh.ATT.COM (barbara.tongue):
> Folks,
> 
> I have a question concerning at command.  Why does it
> neet the setuid bit?  Why does it need root permissions?
> That seems like a slight security hazard to me...
> 
> Please email in response.
> 
> Thanks!
> 
> -- 
> %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
> %%   The Speaking Tongue, AT&T   %%  C Code.  C Code Run.  Run, Code, RUN! %%
> %%    (..!att)!feathers!bgt      %%           PLEASE!!!!                   %%
> %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

I believe that the setuid bit is set on the shell script itself so the
at command can tell if someone has been messing with it.  At least on
my system, the "at" shell scripts are owned by the person who executed
the "at" command.  When the "at" daemon is run, it assumes the
identity of the owner of the file and executed the commands found
therein.  If it finds that the ownership has changed, it won't execute
the script.  But, how does it do this?  read on...

Scenario:
If I wanted to be sneaky (and if "at" wasn't very smart), I could submit 
a "nasty" at job, go to the spool directory, and change the file's owner 
id to a target login and "at" would do the nasty to that login.  

file in /usr/spool/cron/atjobs after it was submitted through "at"

permissions: -r-Sr-Sr--		owner: hutch

after I change the ownership:

permissions: -r--r--r--		owner: target

The "at" daemon checks to see if the set user and group id bits are
still on.  If so, it assumes that all is OK and goes adead and
executs the script.  If it sees them off, it assumes that probably
someone has tried to change the ownership of the file and is doesn't
execute the script.

The "at" command actually doesn't use the permission bits for their
originally intended use (setuid), but rather because these bits are 
reset on a chown.

About "at" requiring "root" permission, I guess it needs it to write
into the "atjobs" directory.

Bob Hutchison
lzaz!hutch

More information about the Comp.unix.questions mailing list