Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!mailrus!b-tech!zeeff From: zeeff@b-tech.ann-arbor.mi.us (Jon Zeeff) Newsgroups: news.software.b Subject: Re: Cnews security Message-ID: <9493@b-tech.ann-arbor.mi.us> Date: 26 Jun 89 13:55:06 GMT References: <9482@b-tech.ann-arbor.mi.us> <1989Jun24.204900.24693@utzoo.uucp> <9490@b-tech.ann-arbor.mi.us> <1989Jun25.175214.13599@utzoo.uucp> Reply-To: zeeff@b-tech.ann-arbor.mi.us (Jon Zeeff) Organization: Branch Technology Ann Arbor, MI Lines: 33 >>... Unless I've done the installation very wrong, users do >>end up running the crucial binaries newsspool and relaynews. If you >>are using uucp, users indirectly run newsspool via rnews and relaynews >>is called from inews. These are news owned programs. > >Uh, why would a user ever run rnews? Only other systems do that. Users send mail, mail calls uux, uux can call uucico, uucico calls uuxqt, uuxqt calls rnews. Uucp can cause a similar sequence. Yes, users do run rnews all the time (indirectly) and their id is exposed. >As for relaynews via inews, yes, this is the only exception to the rule. >And this one is absolutely inescapable -- if users are to be able to post >news, they have to be able to run something which has news powers. How >would you avoid this? One weak link in the chain is all it takes. The easy secure way is for rnews (ie, the initial entry point) to be a tiny suid root program (in /usr/bin or something) that does a setuid(NEWS), setgid(NEWS) before execing the real rnews. Same for inews. Then someone can break news and not get any further. All other files and news directories can be news owned and the suid root program is easily verified as being secure. I can only speak for Sys V, but these things seem pretty obvious to me. Using a different id (eg news) does little good if all the users have to completly trust it. Make the change I suggest and all the users have to trust is root. -- Are you making the world a | zeeff@b-tech.ann-arbor.mi.us better place? | Ann Arbor, MI