HPE Community
Operating System - HP-UX
1834218 Members
3225 Online
110066 Solutions
New Discussion

at problems

 
SOLVED
Go to solution
Dieter S. Vener
Frequent Advisor

‎09-15-2005 02:43 AM

‎09-15-2005 02:43 AM

at problems

Hi,

I just added a user to /usr/lib/cron/at.allow. When this user tries to run at, they get the following error:

Open '/var/spool/cron/atjobs/../_at26904' failed errno=13
can't create a job for you

Help
0 Kudos
Reply
16 REPLIES 16
Orhan Biyiklioglu
Respected Contributor

‎09-15-2005 02:46 AM

‎09-15-2005 02:46 AM

Re: at problems

Did you restart cron servise?

/sbin/init.d/cron stop

/sbin/init.d/cron start
0 Kudos
Reply
Matthew_50
Valued Contributor

‎09-15-2005 02:52 AM

‎09-15-2005 02:52 AM

Re: at problems

`ls -ld /var/spool/cron/atjobs`, check if the directory owner and group belongs to bin, if not, use chmod -R bin:bin /var/spool/cron/atjobs
0 Kudos
Reply
Dieter S. Vener
Frequent Advisor

‎09-15-2005 03:43 AM

‎09-15-2005 03:43 AM

Re: at problems

I did try restarting cron. The ownership on the atjobs directory is bin:bin 555.

Thanks
0 Kudos
Reply
Stephen Keane
Honored Contributor

‎09-15-2005 03:58 AM

‎09-15-2005 03:58 AM

Re: at problems

What happens if the user enters

# at -l
0 Kudos
Reply
Dieter S. Vener
Frequent Advisor

‎09-15-2005 05:29 AM

‎09-15-2005 05:29 AM

Re: at problems

%at -l

Returns nothing
0 Kudos
Reply
Rodney Hills
Honored Contributor

‎09-15-2005 05:33 AM

‎09-15-2005 05:33 AM

Re: at problems

Does the directory "/var/spool/cron/tmp" exist and does it have permissions of rwxrwxrwt ?

Rod Hills
There be dragons...
0 Kudos
Reply
Dieter S. Vener
Frequent Advisor

‎09-15-2005 05:55 AM

‎09-15-2005 05:55 AM

Re: at problems

Yes
0 Kudos
Reply
Stephen Keane
Honored Contributor

‎09-15-2005 08:13 PM

‎09-15-2005 08:13 PM

Solution

Re: at problems

If a user that isn't authorised to use "at" issues the command "at -l" you'd get an error message "you are not authorized to use at. Sorry.". The fact that you don't get such an error message indicates that the user IS allowed to use "at".

Do you have any other users allowed to use "at". Can you try them to see if all (non-root) users are affected, or just this one. If it's just this one, is it in a different group or anything?
Reply
MarkSyder
Honored Contributor

‎09-15-2005 08:27 PM

‎09-15-2005 08:27 PM

Re: at problems

Error number 13 means permission denied. Could it be the command the user is trying to run that is generating the error message rather than the at job?

Mark Syder (like the drink but spelt different)
The triumph of evil requires only that good men do nothing
0 Kudos
Reply
Muthukumar_5
Honored Contributor

‎09-15-2005 08:34 PM

‎09-15-2005 08:34 PM

Re: at problems

Check /usr/lib/cron/at.allow file.

# ls -l /usr/lib/cron/at.allow
-r--r--r-- 1 bin bin

Your user name has to be there.

Example:

add test user.

# su test
$ echo "hi" | at 0815 Sep 24
warning: commands will be executed using /usr/bin/sh
job 1127571300.a at Sat Sep 24 08:15:00 2005
$
$
$ at -l
1127571300.a Sat Sep 24 08:15:00 2005

hth.
Easy to suggest when don't know about the problem!
0 Kudos
Reply
Arunvijai_4
Honored Contributor

‎09-15-2005 08:41 PM

‎09-15-2005 08:41 PM

Re: at problems

Hi,

Take a look at the man page of at command, It reads,
Users are permitted to use the at and batch commands if their user names appear in the file /usr/lib/cron/at.allow. If that file does not exist, users can use at and batch if their names do not appear in the file /usr/lib/cron/at.deny. If neither file exists, only superuser is allowed to submit jobs. If only at.deny exists but is empty, all users can use at and batch. The allow/deny files consist of one user name per line.

All users can list and remove their own jobs. Users with appropriate privileges can list and remove jobs other than their own.

-Arun
"A ship in the harbor is safe, but that is not what ships are built for"
0 Kudos
Reply
Dieter S. Vener
Frequent Advisor

‎11-15-2005 06:09 AM

‎11-15-2005 06:09 AM

Re: at problems

Hi,

I do understand that at.allow and at.deny files exist and do know how to use them. The user is in at.allow and this is not the only user that does not work. In fact, root is the only user that works. I believe that I am experiencing an internal error from at because setuid permissions are wrong somewhere. I think that the permissions of one or some of the files that at uses is not set correctly. One of my admins used CIS to lock down the system and followed the recommendations to change permissions on a lot of files. I do not recommend that anyone follow all of CIS's recommendations! Some of CIS's recommendations are really bad. Great tool, it makes the system so secure that you can't use it:) (sarcasm)I'm actually surprised that CIS did not recommend that I unplug the network cable and turn off power to the server. I think we have fixed most of the things that were broken by implementing recommendations by CIS. Can anyone give me a list of files that at uses and which ones must have setuid root permissions? Starting over from scratch is not really an option at this point. Thanks for all the help thus far.

Thanks
0 Kudos
Reply
Pete Randall
Outstanding Contributor

‎11-15-2005 06:20 AM

‎11-15-2005 06:20 AM

Re: at problems

According to the man page, the following files are involved:

-r-xr-xr-x 2 bin bin /usr/bin/sh
-r--r--r-- 1 root sys /var/adm/cron
-r--r--r-- 1 bin bin -r--r--r-- 1 bin bin/var/adm/cron/.proto
-r--r--r-- 1 bin bin /usr/lib/cron/at.allow
-r--r--r-- 1 bin bin /usr/lib/cron/at.deny
-r--r--r-- 1 bin bin /var/adm/cron/queuedefs
dr-xr-xr-x 2 bin bin /var/spool/cron/atjobs


Pete

Pete
0 Kudos
Reply
Dieter S. Vener
Frequent Advisor

‎11-15-2005 06:20 AM

‎11-15-2005 06:20 AM

Re: at problems

Ok, I figured it out. The at executable itself must be setuid root. I looked on another system.
0 Kudos
Reply
Sheriff Andy
Trusted Contributor

‎11-15-2005 09:28 AM

‎11-15-2005 09:28 AM

Re: at problems

Have you done a tail on the /var/adm/cron/log file to see what activity is going on?
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎11-15-2005 11:06 AM

‎11-15-2005 11:06 AM

Re: at problems

There may be a *LOT* of damage still hidden from the 'improvements' to the system files. Luckily, HP-UX haas a very smart software installer called Software Distributor and the problem finder is called swverify. Use it to verify the various OS subsystems and it will tell you what was changed and what it should be (ownership and permissions).


Bill Hassell, sysadmin
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.