Path: utzoo!mnetor!geac!torsqnt!news-server.csri.toronto.edu!math.lsa.umich.edu!zaphod.mps.ohio-state.edu!samsung!munnari.oz.au!bunyip!brolga!brolga2!ant
From: ant@brolga.cc.uq.oz.au (Anthony Murdoch)
Newsgroups: news.software.nntp
Subject: The case of the phantom chowner (solved ?)
Summary: Why nullify a filename just before using it.
Keywords: chown("",NEWSID,NEWSGRP)
Message-ID: <1990Jul24.071014.4809@brolga.cc.uq.oz.au>
Date: 24 Jul 90 07:10:14 GMT
Organization: Prentice Computer Centre
Lines: 66

Greetings nntp/cnews administrators everywhere,

I'd like to take you if I may, ...... , on a strange journey.  This is the
story of "The Phantom 'chown'er."

It all started a couple of weeks ago, when I changed from nntp 1.5.5 to 
1.5.9 .  After some initial teething problems, everything appeared to be
working happily.  And then it happened.

A seemingly random file (actually a directory) was being chowned to news.news
at apparently random intervals.  After some investigation, we found that the
Phantom was working in close cahoots (sp?) with the nntpd.  Everytime that
nntpd was started by inetd, the file was being chowned, not just once, but
quite often as when we chowned the file back, it would chown it again to
news.news before we could even look at it.

I hear you ask, "What was the files name ?"  Well here it gets eveen weirder.
The directory was initially "/usr/local/src/cops", but even when we changed
the the name of the directory, it was still coming under attack from the
Phantom.  So it seemed that the Phantom was working on an i-node that
something was giving it.

At first we put it off as a not terribly important problem, just an irritating
one, but then on Friday we found that it had changed its prey to the root
directory.  After a little bit of looking around today we think we have found
out the Phantom's terrible secret.

When we ran "trace -p" on the nntpd process as it ran, we noticed that it was
making calls to chown with an empty string.  From there it wasn't to had to
track it down to "batch.c" (there are only 2 places in the server where chown
are called from).  Below I have included a quick patch until it is included
into a future patch level.

BTW, has anyone else noticed this strange behavior ?  It seems a weird thing
for chown to do when given an empty string.

ant

root-[brolga] diff -c batch.c batch.c.old
*** batch.c     Tue Jul 24 16:42:23 1990
--- batch.c.old Thu Jul  5 17:29:11 1990
***************
*** 88,95 ****
        if (!cpstdin(cont_code, err_code, errbuf)) /* may create tempfile */
                return 0;
  #ifdef POSTER
!       if (tempfile[0])
!               (void) chown(tempfile, uid_poster, gid_poster);
  #endif
        status = appbatch();
        if (tempfile[0] != '\0')
--- 88,94 ----
        if (!cpstdin(cont_code, err_code, errbuf)) /* may create tempfile */
                return 0;
  #ifdef POSTER
!       (void) chown(tempfile, uid_poster, gid_poster);
  #endif
        status = appbatch();
        if (tempfile[0] != '\0')


-- 
  V   ant                       "It's great to be young and insane"
 \o/  ant@brolga.cc.uq.oz.au                    - Dream Team
 -O-  Anthony Murdoch           Prentice Computer Centre
 /0\  Phone (07) 3774078        University of Qld