Concerning possible bugs in the 'inn' package

Ben Schwarz bschwarz at EECS.berkeley.EDU
Fri Sep 2 05:14:14 UTC 2005


> fastrm is not designed or intended for use with world-writable file
> systems.  It is designed for cleaning out the INN news spool.  If an
> attacker has access to modify the directory hierarchy, they already have
> the same privileges as fastrm and can unlink whatever files they wish
> themselves.

I agree that they could unlink files within the hierarchy where
the news spool is, but I'm concerned about unlinking files (through the
use of symlinks) in other portions of the file system that
fastrm (or the person on whose behalf fastrm is running) has access to.
For instance, if you and I both share the same INN news spool
directory, I would not want you to be able to remove arbitrary files
within my home directory that you did not previously have access to.

If it's the case that users cannot share a news spool, then I would
agree this is probably a false positive and not a real bug. My knowledge
of how inn works is embarassingly limited, so I should probably
leave it up to you to decide if this is a real threat or not.

Thanks for taking the time to respond,

Ben



More information about the inn-bugs mailing list