Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!mailrus!b-tech!zeeff
From: zeeff@b-tech.ann-arbor.mi.us (Jon Zeeff)
Newsgroups: news.software.b
Subject: Re: Cnews security
Message-ID: <9490@b-tech.ann-arbor.mi.us>
Date: 25 Jun 89 13:59:18 GMT
References: <9482@b-tech.ann-arbor.mi.us> <1989Jun24.204900.24693@utzoo.uucp>
Reply-To: zeeff@b-tech.ann-arbor.mi.us (Jon Zeeff)
Organization: Branch Technology Ann Arbor, MI
Lines: 26

In article <1989Jun24.204900.24693@utzoo.uucp> henry@utzoo.uucp (Henry Spencer) writes:
>In article <9482@b-tech.ann-arbor.mi.us> zeeff@b-tech.ann-arbor.mi.us (Jon Zeeff) writes:
>>One thing that bothers me about news (cnews or 2.11) is that it 
>>doesn't have any protection once someone breaks the news id - if you 
>>break news, you can break many others ids (via a trojan horse) because 
>>so many people run things owned by news...
>
>Note that in our preferred configuration, the binaries that people would
>run are not owned by news!  News owns only the control files, the articles,
>and one or two crucial binaries.

I disagree.  Unless I've done the installation very wrong, users do 
end up running the crucial binaries newsspool and relaynews.  If you 
are using uucp, users indirectly run newsspool via rnews and relaynews 
is called from inews.  These are news owned programs.  








-- 
In my next life - Jon Zeeff	zeeff@b-tech.ann-arbor.mi.us
Ann Arbor, MI			sharkey!b-tech!zeeff