atd: Make `at' and friends actually usable by regular users.

This patch makes the `at' commands setuid `atd' (instead of `root')
and fixes the ownership of `/etc/at/at.deny'.

svn path=/nixos/trunk/; revision=13515

system/options.nix

@@ -639,7 +639,8 @@ in
         default = false;
         description = ''
           Whether to make /var/spool/at{jobs,spool} writeable 
-          by everyone (and sticky).
+          by everyone (and sticky).  This is normally not needed since
+          the `at' commands are setuid/setgid `atd'.
         '';
       };
     };

system/system.nix

@@ -302,7 +302,15 @@ rec {
         chmod u${if entry.setuid then "+" else "-"}s $wrapperDir/${entry.program} 
         chmod g${if entry.setgid then "+" else "-"}s $wrapperDir/${entry.program} 
       '') 
-      config.security.setuidOwners);
+      (config.security.setuidOwners ++
+
+       # The `at' commands must be setuid `atd' so they can access the files
+       # under `/etc/at', etc.
+       (if config.services.atd.enable
+        then (map (program: { inherit program; owner = "atd"; group = "atd";
+                             setuid = true; setgid = true; })
+                  [ "at" "atq" "atrm" ])
+        else [])));
   };
 
 

upstart-jobs/atd.nix

@@ -48,7 +48,7 @@ start script
    if [ ! -f "$etcdir"/at.deny ]
    then
        touch "$etcdir"/at.deny && \
-       chown root:root "$etcdir"/at.deny && \
+       chown root:atd "$etcdir"/at.deny && \
        chmod 640 "$etcdir"/at.deny
    fi
    if [ ! -f "$jobdir"/.SEQ ]