Concerning possible bugs in the 'inn' package

Russ Allbery rra at stanford.edu
Fri Sep 2 05:26:26 UTC 2005


Ben Schwarz <bschwarz at EECS.berkeley.EDU> writes:

> I agree that they could unlink files within the hierarchy where the news
> spool is, but I'm concerned about unlinking files (through the use of
> symlinks) in other portions of the file system that fastrm (or the
> person on whose behalf fastrm is running) has access to.  For instance,
> if you and I both share the same INN news spool directory, I would not
> want you to be able to remove arbitrary files within my home directory
> that you did not previously have access to.

> If it's the case that users cannot share a news spool, then I would
> agree this is probably a false positive and not a real bug. My knowledge
> of how inn works is embarassingly limited, so I should probably leave it
> up to you to decide if this is a real threat or not.

INN is a server, not personal software; it wouldn't make sense for people
to run it as themselves.  It generally runs as a system user, like "news."
The spool is only writable by that user, so only that user could create
symlinks to fool fastrm.

The whole point of fastrm is to cut every corner possible and make every
assumption possible based on what it's used for in order to make file
deletion as fast as possible, since deleting expired articles is actually
a significant part of the time it takes to do nightly expire.  This should
really be clearer in the man page.  Anyone deleting files out of a shared
directory should use a much safer program like tmpreaper.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the inn-bugs mailing list