Guidelines:

1.  Want Users to be readable / modifiable only by root and operator.
I don't want model hosts to trust root on other hosts, but it may trust
operator.  So the passwd program must run as operator.

2.  Want any user who can log in to be able to run passwd.

3.  Don't want all users to need to be able to log into the model
machine.

4.  Must work with Solaris, in which suid programs only set euid, not
uid.

Solutions:

a.  To satisfy 1, let data be -rw-rw----  operator operator, and set
the SAT permissions like this:

		owner = "ROOT@MAIN"
		modifier = "OPERATOR@MAIN" [includes all root and operator]
		appender = "NOBODY"
		reader = "ALLOPERATOR" [includes all operators]

I had to fix a bug in SAT that caused new data files to lack the proper
owner.  The new routine is CloneFile().

c.  To satisfy 3, need passwd to be suid operator.  But on Solaris,
that only sets euid.  [False starts: The passwd program needs to be
able to read (locally) Users, so in lib/UserName, set could pw =
getpwuid (geteuid ()).  However, tabmod is suid root, so pw becomes
'root', which lets CheckPermissions be too lenient, which lets any user
use tabmod to build data.new.  It fails only to read in data.new
afterwards.  That's too dangerous.  Therefore, a special case for
operator:  only if euid is operator do we set pw = getpwuid (geteuid
()).]  But I finally figured out how to make passwd be true suid
operator in Solaris: make it suid root, let it first setuid(0), then
setuid(operator).

f.  Root needs access to data even if across NFS.  This is because
report may not run as operator, because it needs to write root-only
configuration files.  I see no way to achieve this but to have the data
permissions allow world read.  So I must violate goal 1.   Still, the
SAT permissions only allow operator and root to read the data through
tabedit.  Perl scripts can, of course, read anyhow.

j.  To allow operator to run LocalUpdate() in relmod, it must be able to
remake report and check.  Generally, these will be up to date, but the log
files for DoMake() need to be writable by operator.  It isn't enough for the
makefiles to set ownership to operator (and it doesn't help).  So I modified
SAT to put log files in /tmp.  I added the -s flag to make so that an empty
log file is "good news".  Unfortunately, if there is already a log file owned
by root, it prevents the log file from being created.  Solution is most
likely to automatically remove 0-length log files.  Meanwhile, have removed the t (sticky) bit from al:/tmp.
