A check that would be desirable for expireover, etc.

Russ Allbery rra at stanford.edu
Sun Mar 31 17:54:58 UTC 2002


Jeffrey M Vinocur <jeff at litech.org> writes:
> On Sat, 30 Mar 2002, figmentality wrote:

>> Would a setgid-news flag on makehistory take care of it?

Not for folks who use --with-umask=022, like I do.

> Hmmm.  Not bad at all.  The tools we're concerned with (the ones that
> change things; not, for example, grephistory) are mode 550 to begin
> with, so there shouldn't be any security concerns.

There aren't all that many of them; I think we could just put in a quick
test of geteuid() at the beginning and exit if they're running as root.  I
think we only need to worry about expire, expireover, makehistory, and
makedbz at a first pass.  Most of the rest either don't create files or
don't create files that need to be written later or that are too hard to
fix (like innxmit or innfeed).  innd and nnrpd already have code to deal
with being run as root.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>

    Please send questions to the list rather than mailing me directly.
     <http://www.eyrie.org/~eagle/faqs/questions.html> explains why.


More information about the inn-workers mailing list