inn-2.2 inews buffer overflow

Jeff King peff at dbd.com
Mon Aug 23 02:14:40 UTC 1999



On 21 Aug 1999, Russ Allbery wrote:

> A fourth class required user control over inn.conf.  I don't remember how
> much in the way of environment variables we're honoring these days to
> redirect things at a different inn.conf, so I fixed those too.
ReadInnConf() checks the INNCONF environment variable for this (which is
nasty...on RH, by cracking group "news" I can use innd to crack "root",
although a kludge (hardcoding /var/run/news as pathrun) in the rpm
allows me only to crack user "news").

> Does anyone here know if inews has any reason at all to be setgid apart
> from being able to use the local Unix domain socket for posting?  I've
You can theoretically have systems in which the administrator wants to
keep the inn.conf 0640 or similar, though they are probably few enough
that anyone doing so should be able to handle setting inews permissions
him/herself.  I'm not certain if this strategy would break other parts of
inn, either.

Anyway, I'll quit bugging the INN list now. :) Just wanted to say I
appreciate the prompt response on this, Russ.

Jeff King






More information about the inn-workers mailing list