Newsgroups: comp.sys.3b1 Path: utzoo!utgpu!cunews!micor!latour!ecicrl!clewis From: clewis@ferret.ocunix.on.ca (Chris Lewis) Subject: Re: COPS security audit and the unix pc. Message-ID: <1991Apr03.201214.8915@ferret.ocunix.on.ca> Date: Wed, 03 Apr 91 20:12:14 GMT References: <1991Mar23.004007.2024@shibaya.lonestar.org> <1991Mar26.225255.6048@ferret.ocunix.on.ca> <563@iczer-1.UUCP> Organization: Elegant Communications Inc, Ottawa, Canada In article <563@iczer-1.UUCP> emm@iczer-1.UUCP (Edward M. Markowski) writes: >In article <1991Mar26.225255.6048@ferret.ocunix.on.ca> clewis@ferret.ocunix.on.ca (Chris Lewis) writes: >>>chmod o-w ... /usr/spool/news >>Unless you're using C-news, you just broke your news system. Aha, you >>ARE using C-news (/usr/lib/newsbin). Consider this a warning to anybody >>else reading this article - if you're running B-news, do NOT make /usr/spool/news >>or /usr/lib/news anything other than 777. Sigh... >In one of the header files in the news distribution(sp?) there is a >constant that will allow the lib and spool directories to be set to >755, the articles to be created 644 and the spool dirs 755. I do not >rember which header and constant but it is documented there or in the >Nutshell book Managing UUCP and USENET. It's in the defs.h for B news. However, it won't work on System V systems because of the way setuid/setgid programs, setuid()/setgid() and mkdir works. (as in, if a setuid program calls mkdir, the directory ends up being owned by the real user not the effective, rnews can't write into it, and there's no "elegant" way around it in System V) Which is why C-news goes to all of the kludgey junk for the "setnewsids" program which runs as setuid root to run relaynews properly. Bnews has no such kludge, though you could retrofit setnewsids if you wanted. -- Chris Lewis, clewis@ferret.ocunix.on.ca or ...uunet!mitel!cunews!latour!ecicrl!clewis Psroff support: psroff-request@eci386.uucp, or call 613-832-0541 (Canada) **** somebody's mailer is appending .bitnet to my From: address. If you see this, please use the address in the signature, and send me a copy of the headers of the mail message with the .bitnet return address. Thanks!