Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!ames!pacbell!ptsfa!jmc
From: jmc@PacBell.COM (Jerry Carlin)
Newsgroups: news.software.b
Subject: Re: Cnews security
Message-ID: <4854@ptsfa.PacBell.COM>
Date: 26 Jun 89 15:27:02 GMT
References: <9482@b-tech.ann-arbor.mi.us> <1989Jun24.204900.24693@utzoo.uucp> <9490@b-tech.ann-arbor.mi.us> <1989Jun25.175214.13599@utzoo.uucp>
Reply-To: jmc@PacBell.COM (Jerry Carlin)
Organization: Pacific * Bell, San Ramon, CA
Lines: 17

In article <1989Jun25.175214.13599@utzoo.uucp> henry@utzoo.uucp (Henry Spencer) writes:
>Uh, why would a user ever run rnews?  Only other systems do that.

A user would not, an abuser would!

>As for relaynews via inews, yes, this is the only exception to the rule.
>And this one is absolutely inescapable -- if users are to be able to post
>news, they have to be able to run something which has news powers.  How
>would you avoid this?

You can't avoid it but it can be minimized by running the minimum amount
of code setuid, hopefully only on startup/file open time, followed by
changing to real user. 

-- 
Jerry Carlin (415) 823-2441 {bellcore,sun,ames,pyramid}!pacbell!jmc
To dream the impossible dream. To fight the unbeatable foe.