Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!mailrus!b-tech!zeeff
From: zeeff@b-tech.ann-arbor.mi.us (Jon Zeeff)
Newsgroups: news.software.b
Subject: Cnews security
Message-ID: <9482@b-tech.ann-arbor.mi.us>
Date: 23 Jun 89 18:48:35 GMT
Reply-To: zeeff@b-tech.ann-arbor.mi.us (Jon Zeeff)
Organization: Branch Technology Ann Arbor, MI
Lines: 16


One thing that bothers me about news (cnews or 2.11) is that it 
doesn't have any protection once someone breaks the news id - if you 
break news, you can break many others ids (via a trojan horse) because 
so many people run things owned by news.  Given than news isn't such a 
hard one to break (cnews took me about 10 min - it's being fixed) this 
is a problem.  I'd much prefer that everything went through a root 
owned program that did a setuid(),setgid() to news before doing 
anything.  

Uucp has the same problem.  If you can break it, you can break many id's.
A "firewall" is needed to contain any damage.

-- 
  Jon Zeeff			zeeff@b-tech.ann-arbor.mi.us
  Ann Arbor, MI			sharkey!b-tech!zeeff