Concerning possible bugs in the 'inn' package

Forrest J. Cavalier III mibsoft at epix.net
Fri Sep 2 12:12:29 UTC 2005


Russ Allbery wrote:

> Ben Schwarz <bschwarz at EECS.berkeley.EDU> writes:
> 
> 
>>I agree that they could unlink files within the hierarchy where the news
>>spool is, but I'm concerned about unlinking files (through the use of
>>symlinks) in other portions of the file system that fastrm (or the
>>person on whose behalf fastrm is running) has access to.  For instance,
>>if you and I both share the same INN news spool directory, I would not
>>want you to be able to remove arbitrary files within my home directory
>>that you did not previously have access to.
> 
> 
>>If it's the case that users cannot share a news spool, then I would
>>agree this is probably a false positive and not a real bug. My knowledge
>>of how inn works is embarassingly limited, so I should probably leave it
>>up to you to decide if this is a real threat or not.
> 
> 
> INN is a server, not personal software; it wouldn't make sense for people
> to run it as themselves.  It generally runs as a system user, like "news."
> The spool is only writable by that user, so only that user could create
> symlinks to fool fastrm.
> 
> The whole point of fastrm is to cut every corner possible and make every
> assumption possible based on what it's used for in order to make file
> deletion as fast as possible, since deleting expired articles is actually
> a significant part of the time it takes to do nightly expire.  This should
> really be clearer in the man page.  Anyone deleting files out of a shared
> directory should use a much safer program like tmpreaper.

As the use of automatic source code security auditing tools increases,
I predict we will see a lot more of these kinds of reports.

I think we should welcome the reports, but responding with "yes, we know, see the man page"
is easier than having a discussion each time it comes up.

And if it is in the manpage, then someone may be motivated to fix it, who knows?

I don't really think we need to make changing fastrm a priority for the use of INN,
but it is plausible to think some people are using fastrm outside INN.

I think one risk is that someone could conceivably escalate control of the news
user to root if fastrm is ever inadvertently run as root.  (We do have people
who end up with spools owned by root.)





More information about the inn-bugs mailing list