[INN-COMMITTERS] STABLE-2_3 inn/innfeed (misc.c)
rra at stanford.edu
Tue Jul 11 07:00:28 UTC 2000
Forrest J Cavalier <mibsoft at epix.net> writes:
> Untrusted non-user-news data can get into many places in innd and
> innfeed (which are setuid programs) through the configuration file,
> which can be changed via an environment variable.
Neither innfeed nor innd are effectively setuid programs any more with the
2.3 changes to startinnfeed and inndstart. Both of the wrappers now
refuse to run if run by anyone other than the news user, the same user to
which they eventually setuid to before execing innfeed or innd. In
effect, they therefore perform a very limited set of privileged operations
(raising process limits and binding to a privileged port) and then drop
back to the same UID they were originally run as.
I think that effectively deals with this problem of bogus data. Said data
has to be pointed to by the caller of those programs, so you'd have to
somehow trick someone with access to the news account to set INNCONF to
point at a bogus inn.conf file... and if you've gotten that far, you can
just modify the real one. But there may be remaining laws; if you see
any, please point them out.
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the inn-workers