Path: utzoo!utgpu!watserv1!watmath!att!linac!pacific.mps.ohio-state.edu!zaphod.mps.ohio-state.edu!samsung!rex!ames!mindcraft.com!karish
From: karish@mindcraft.com (Chuck Karish)
Newsgroups: news.software.b
Subject: Re: Restricting article posting with C News...
Summary: group permissions
Message-ID: <663605062.9312@mindcraft.com>
Date: 11 Jan 91 14:44:21 GMT
References: <1991Jan9.201748.4682@zoo.toronto.edu> <3113@crdos1.crd.ge.COM> <1991Jan10.213702.9298@zoo.toronto.edu> <1991Jan11.002040.25338@mp.cs.niu.edu>
Organization: Mindcraft, Inc.
Lines: 22

In article <1991Jan11.002040.25338@mp.cs.niu.edu> rickert@mp.cs.niu.edu
(Neil Rickert) writes:
> Perhaps my brain had a core dump, or something, but I don't understand what
>all the fuss is about.  C-news doesn't work (for posting articles) without
>invoking some setuid programs such as 'relaynews' and 'newsspool'.  If the
>group permissions are used to control who can search $NEWSBIN/relay and
>$NEWSBIN/input, won't the problem be easily solved?

relaynews is the key program here.  It has to be setgid on systems that
have System V-style inheritence of file group ownership, in order to
maintain proper group ownership of the files in the spool.  This means
that just changing access to relaynews won't do the job unless you're
willing to make all authorized posters members of the 'news' group,
which may give them permission to write to various parts of the news
system that should be protected.

Summary:  It's doable, but you'd have to carefully re-think permissions
throughout the news system.
-- 

	Chuck Karish		karish@mindcraft.com
	Mindcraft, Inc.		(415) 323-9000