inn-2.2 inews buffer overflow
Russ Allbery
rra at stanford.edu
Mon Aug 30 10:51:21 UTC 1999
Jeff King <peff at dbd.com> writes:
> On 21 Aug 1999, Russ Allbery wrote:
>> A fourth class required user control over inn.conf. I don't remember
>> how much in the way of environment variables we're honoring these days
>> to redirect things at a different inn.conf, so I fixed those too.
> ReadInnConf() checks the INNCONF environment variable for this (which is
> nasty...on RH, by cracking group "news" I can use innd to crack "root",
> although a kludge (hardcoding /var/run/news as pathrun) in the rpm
> allows me only to crack user "news").
There have been various other fixes or changes checked in for this, but I
haven't tracked them all and am not sure what the status of all of them
are these days.
I think the idea of supporting multiple inn.conf files is good, but that
startinnd really shouldn't be honoring any kind of environment variables.
I think a much better approach would be to hard-code the path to inn.conf
and the news user and group into startinnd but provide a simple and
documented way for people to build additional copies of startinnd with
different paths, users, and groups hard-coded if they need them. That
supports the odd configuration while making the common case simpler and
more secure.
> Anyway, I'll quit bugging the INN list now. :) Just wanted to say I
> appreciate the prompt response on this, Russ.
Sure. :)
--
Russ Allbery (rra at stanford.edu) <URL:http://www.eyrie.org/~eagle/>
More information about the inn-workers
mailing list