My original question:
Some of our end-users need the ability to display the status of all
pending batch jobs (their own and everybody else's) so they can
schedule new jobs appropriately. Typically, I as "root" have been
using the "atq" command to display this information. When a
non-privileged user executes the same command they see only their
jobs. Is their a simple way to give users the ability to see all
pending jobs on the queue? Is there another command? I thought by
setting "suid" permission on the "atq" command they would adopt root
privileges and see the whole picture, but that didn't change a thing.
I've also thought of possibly calling this command from inside a small
"C" program which has "suid" set, but I see from the archives (for this
list) that making system command calls from a "suid" program is not very
secure.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Thanks to all who replied.
A few responses suggested spmething along the lines of writing a small
program that sets the uid to root and then calls atq using exec. Make
the program setuid to root. Do NOT use system(3). Also use "/bin/atq"
and explicitly set the process environment. That
makes it pretty difficult to subvert.
Other suggestions were to get and use sudo. It allows unpriv'ed users to
run commands as root, and you control who and use it and what they can
use it for.
You can get it from <URL:
http://www.courtesan.com/sudo/>
Received on Sun Apr 18 1999 - 01:14:38 NZST