rc.news: checking whether we run as the news user

[Russ Allbery]

Julien ÉLIE <julien at trigofacile.com> writes:

> In the rc.news man page, there is a BUGS section that mentions:

>     "Running rc.news start as root is never the right thing to do,
>     so we should at minimum check for this and error, or perhaps
>     change effective user ID."

> I suggest to check whether rc.news is run as another user ID than the
> "news" user (in all cases, be it start or stop).  If it is the case, we
> exit with the error:

>     rc.news should be run as the "news" user

> where "news" is in fact the value of the runasuser keyword in inn.conf
> (the real news user).  I don't think we should change effective user ID
> (if root).  It might hide another issue.

I don't think I ever said explicitly here, but I think it would be fine to
change users.  However, that's rather hard to do safely.  I suppose we
could re-exec ourself with su to news, but I'd worry that there would be
some way of tricking that into running the wrong script.

So, as a fallback, I think detecting this and aborting would be fine.

However, another nice alternative would be to be sure that every program
run from rc.news knows how to switch users to the news user on demand.  In
general, that wouldn't be too hard; innd already handles that case,
expirerm easily could, and so could cnfsstat.  And rc.news could be sure
to chown the active file if it recovers one.  The hard part is innwatch,
which is a giant shell script and can't easily change users.  It's not
clear there's anything horribly wrong with running innwatch as root, but
it's also a giant shell script and I'm not positive it's completely safe
to run that way.

There's also any programs people added to rc.news.local, but I suspect
that's not widely used.

-- 
Russ Allbery (eagle at eyrie.org)              <http://www.eyrie.org/~eagle/>

    Please send questions to the list rather than mailing me directly.
     <http://www.eyrie.org/~eagle/faqs/questions.html> explains why.