Should "rnews" be useable to inject news by non-news users?

Russ Allbery rra at stanford.edu
Tue Jun 5 15:26:34 UTC 2001



Jonathan Kamens <jik at kamens.brookline.ma.us> writes:

> Should users besides "news" be able to inject news with "rnews".

Only if explicitly configured with --enable-uucp-rnews with current
versions of INN; I'm worried that it will have additional security holes.
It needs a thorough audit; there's a lot of code and a lot of strcpys and
sprintfs in it.

The default now is to install it owned by news.news without any special
permissions, which means it will only really work for the news user and
members of the news group.  With --enable-uucp-rnews, it's installed
owned by news.uucp and setuid news.

(Arguably, owned by uucp.news and setgid news should be sufficient
provided that the incoming directory is group-writeable.)

> I'm asking because they can't, at least not in the inn that's shipped
> with RedHat, and I think that they should be, so I'm trying to
> understand if there's any reason why they shouldn't.

> The reason they can't is that rnews is setuid "uucp" instead of setuid
> "news", and/var/spool/news/incoming is owned by "news" rather than
> "uucp".

It sounds like Red Hat is using something different than the defaults.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>


More information about the inn-bugs mailing list