at(1) is no longer setuid root, it is setgid crontab.

This means that /var/at/at.{allow,deny} must be readable by group
crontab, /var/at/jobs is mode 01770, and /var/at/.SEQ is mode 0660.

6 files changed, 52 insertions, 50 deletions

diff --git a/etc/Makefile b/etc/Makefile
index 61b70125c61..61ddce073a0 100644
--- a/etc/Makefile
+++ b/etc/Makefile
@@ -1,4 +1,4 @@
-#	$OpenBSD: Makefile,v 1.157 2002/04/28 14:56:38 miod Exp $
+#	$OpenBSD: Makefile,v 1.158 2002/05/11 18:41:19 millert Exp $
 
 TZDIR=		/usr/share/zoneinfo
 LOCALTIME=	US/Pacific
@@ -185,8 +185,10 @@ distribution-etc-root-var: distrib-dirs
 		${DESTDIR}/etc/dumpdates
 	${INSTALL} -c -o ${BINOWN} -g wheel -m 600 /dev/null \
 		${DESTDIR}/etc/skeykeys
-	${INSTALL} -c -o root -g wheel -m 600 /dev/null \
+	${INSTALL} -c -o root -g crontab -m 660 /dev/null \
 		${DESTDIR}/var/at/at.deny
+	${INSTALL} -c -o root -g crontab -m 660 /dev/null \
+		${DESTDIR}/var/at/.SEQ
 	${INSTALL} -c -o root -g wheel -m 600 /dev/null \
 		${DESTDIR}/var/cron/log
 	${INSTALL} -c -o root -g wheel -m 444 /dev/null \
diff --git a/etc/mtree/4.4BSD.dist b/etc/mtree/4.4BSD.dist
index 39737099263..0e59e21807a 100644
--- a/etc/mtree/4.4BSD.dist
+++ b/etc/mtree/4.4BSD.dist
@@ -1,4 +1,4 @@
-#	$OpenBSD: 4.4BSD.dist,v 1.124 2002/05/09 21:22:01 millert Exp $
+#	$OpenBSD: 4.4BSD.dist,v 1.125 2002/05/11 18:41:20 millert Exp $
 
 /set type=dir uname=root gname=wheel mode=0755
 # .
@@ -1840,7 +1840,7 @@ empty		mode=0755
 at		gname=daemon
 
 # ./var/at/jobs
-jobs		mode=0700
+jobs		gname=crontab mode=01770
 # ./var/at/jobs
 ..
 
diff --git a/usr.bin/at/Makefile b/usr.bin/at/Makefile
index abe30f921e8..406cb0f0b3b 100644
--- a/usr.bin/at/Makefile
+++ b/usr.bin/at/Makefile
@@ -1,4 +1,4 @@
-#	$OpenBSD: Makefile,v 1.4 1997/09/21 11:48:22 deraadt Exp $
+#	$OpenBSD: Makefile,v 1.5 2002/05/11 18:41:20 millert Exp $
 
 PROG=	at
 SRCS=	at.c panic.c parsetime.c perm.c
@@ -9,7 +9,12 @@ MLINKS=	at.1 batch.1 \
 	at.1 atq.1 \
 	at.1 atrm.1
 
-BINOWN=	root
-BINMODE= 4555
+BINGRP=	crontab
+BINMODE= 2555
+
+afterinstall:
+	test -f ${DESTDIR}/var/at/.SEQ || touch ${DESTDIR}/var/at/.SEQ
+	chown ${BINOWN}:${BINGRP} ${DESTDIR}/var/at/.SEQ; \
+	chmod 0660 ${DESTDIR}/var/at/.SEQ; \
 
 .include <bsd.prog.mk>
diff --git a/usr.bin/at/at.1 b/usr.bin/at/at.1
index b602064ea08..ccbcbea9af6 100644
--- a/usr.bin/at/at.1
+++ b/usr.bin/at/at.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: at.1,v 1.18 2001/07/20 19:09:45 mpech Exp $
+.\" $OpenBSD: at.1,v 1.19 2002/05/11 18:41:20 millert Exp $
 .\" $FreeBSD: at.man,v 1.6 1997/02/22 19:54:05 peter Exp $
 .Dd April 12, 1995
 .Dt AT 1
@@ -208,11 +208,14 @@ is executed from a
 .Xr su 1
 shell, the owner of the login shell will receive the mail.
 .Pp
-The superuser may use these commands in any case.
-For other users, permission to use at is determined by the files
+For non-root users, permission to run
+.Nm
+is determined by the files
 .Pa /var/at/at.allow
 and
 .Pa /var/at/at.deny .
+.Em Note :
+these files must be readable by group crontab (if they exist).
 .Pp
 If the file
 .Pa /var/at/at.allow
@@ -225,7 +228,7 @@ does not exist,
 is checked.
 Every username not mentioned in it is then allowed to use
 .Nm at .
-If neither exists, only the superuser is allowed use of
+If neither exists, only the superuser is allowed to run
 .Nm at .
 .Pp
 An empty
@@ -233,7 +236,7 @@ An empty
 means that every user is allowed use these commands.
 This is the default configuration.
 .Sh FILES
-.Bl -tag -width /var/at/.lockfile -compact
+.Bl -tag -width /var/at/at.allow -compact
 .It Pa /var/at/jobs
 directory containing job files
 .It Pa /var/at/spool
@@ -244,8 +247,8 @@ login records
 allow permission control
 .It Pa /var/at/at.deny
 deny permission control
-.It Pa /var/at/.lockfile
-job-creation lock file
+.It Pa /var/at/.SEQ
+job sequence file
 .El
 .Sh SEE ALSO
 .Xr nice 1 ,
diff --git a/usr.bin/at/at.c b/usr.bin/at/at.c
index a5164978e63..2ee77b8d51c 100644
--- a/usr.bin/at/at.c
+++ b/usr.bin/at/at.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: at.c,v 1.21 2002/02/16 21:27:44 millert Exp $	*/
+/*	$OpenBSD: at.c,v 1.22 2002/05/11 18:41:20 millert Exp $	*/
 /*	$NetBSD: at.c,v 1.4 1995/03/25 18:13:31 glass Exp $	*/
 
 /*
@@ -74,7 +74,7 @@ enum { ATQ, ATRM, AT, BATCH, CAT };	/* what program we want to run */
 
 /* File scope variables */
 #ifndef lint
-static char rcsid[] = "$OpenBSD: at.c,v 1.21 2002/02/16 21:27:44 millert Exp $";
+static char rcsid[] = "$OpenBSD: at.c,v 1.22 2002/05/11 18:41:20 millert Exp $";
 #endif
 
 char *no_export[] =
@@ -156,21 +156,19 @@ nextjob()
 	int jobno;
 	FILE *fid;
 
-	if ((fid = fopen(_PATH_SEQFILE, "r+")) != NULL) {
-		if (fscanf(fid, "%5x", &jobno) == 1) {
-			(void)rewind(fid);
-			jobno = (1+jobno) % 0xfffff;	/* 2^20 jobs enough? */
-			(void)fprintf(fid, "%05x\n", jobno);
-		} else
-			jobno = EOF;
-		(void)fclose(fid);
-		return (jobno);
-	} else if ((fid = fopen(_PATH_SEQFILE, "w")) != NULL) {
-		(void)fprintf(fid, "%05x\n", jobno = 1);
-		(void)fclose(fid);
-		return (1);
-	}
-	return (EOF);
+	/* We require that the sequence file already exist. */
+	if ((fid = fopen(_PATH_SEQFILE, "r+")) == NULL)
+		return (EOF);
+
+	if (fscanf(fid, "%5x", &jobno) == 1)
+		jobno = (jobno + 1) % 0xfffff;	/* 2^20 jobs enough? */
+	else
+		jobno = 1;
+	(void)rewind(fid);
+	(void)fprintf(fid, "%05x\n", jobno);
+	(void)fclose(fid);
+
+	return (jobno);
 }
 
 static void
@@ -213,35 +211,29 @@ writefile(runtimer, queue)
 	/*
 	 * Loop over all possible file names for running something at this
 	 * particular time, see if a file is there; the first empty slot at
-	 * any particular time is used.  Lock the file _PATH_LOCKFILE first
+	 * any particular time is used.  Lock the jobs directory first
 	 * to make sure we're alone when doing this.
 	 */
 
 	PRIV_START
 
-	if ((lockdes = open(_PATH_LOCKFILE, O_WRONLY | O_CREAT, S_IWUSR | S_IRUSR)) < 0)
-		perr2("Cannot open lockfile ", _PATH_LOCKFILE);
-
-	lock.l_type = F_WRLCK;
-	lock.l_whence = SEEK_SET;
-	lock.l_start = 0;
-	lock.l_len = 0;
-
+	/*
+	 * Set an alarm so we don't sleep forever waiting on the lock.
+	 * If we don't succeed with ALARMC seconds, something is wrong...
+	 */
 	act.sa_handler = alarmc;
 	sigemptyset(&(act.sa_mask));
 	act.sa_flags = 0;
-
-	/*
-	 * Set an alarm so a timeout occurs after ALARMC seconds, in case
-	 * something is seriously broken.
-	 */
 	sigaction(SIGALRM, &act, NULL);
 	alarm(ALARMC);
-	fcntl(lockdes, F_SETLKW, &lock);
+	lockdes = open(_PATH_ATJOBS, O_RDONLY|O_EXLOCK, 0);
 	alarm(0);
 
+	if (lockdes < 0)
+		perr("Cannot lock jobs dir");
+
 	if ((jobno = nextjob()) == EOF)
-	    perr("Cannot generate job number");
+		perr("Cannot generate job number");
 
 	(void)snprintf(ppos, sizeof(atfile) - (ppos - atfile),
 	    "%c%5x%8x", queue, jobno, (unsigned) (runtimer/60));
@@ -261,7 +253,8 @@ writefile(runtimer, queue)
 	 * their r bit.  Yes, this is a kluge.
 	 */
 	cmask = umask(S_IRUSR | S_IWUSR | S_IXUSR);
-	if ((fdes = open(atfile, O_CREAT | O_TRUNC | O_WRONLY, S_IRUSR)) == -1)
+	if ((fdes = open(atfile, O_WRONLY|O_CREAT|O_TRUNC|O_NONBLOCK|O_NOFOLLOW,
+	    S_IRUSR)) == -1)
 		perr("Cannot create atjob file");
 
 	if ((fd2 = dup(fdes)) < 0)
diff --git a/usr.bin/at/pathnames.h b/usr.bin/at/pathnames.h
index 0a211b9cf6f..eafcec28199 100644
--- a/usr.bin/at/pathnames.h
+++ b/usr.bin/at/pathnames.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pathnames.h,v 1.3 1997/03/01 23:40:11 millert Exp $	*/
+/*	$OpenBSD: pathnames.h,v 1.4 2002/05/11 18:41:20 millert Exp $	*/
 /*	$NetBSD: pathnames.h,v 1.3 1995/03/25 18:13:38 glass Exp $	*/
 
 /*
@@ -39,7 +39,6 @@
 
 #define _PATH_ATJOBS	"/var/at/jobs/"
 #define _PATH_ATSPOOL	"/var/at/spool/"
-#define _PATH_LOCKFILE	"/var/at/.lockfile"
 #define _PATH_SEQFILE	"/var/at/.SEQ"
 #define _PATH_AT_ALLOW	"/var/at/at.allow"
 #define _PATH_AT_DENY	"/var/at/at.deny"