Aucbonyx.219
net.news
utzoo!decvax!ucbvax!ARPAVAX:Onyx:jmrubin
Thu Dec 31 07:14:40 1981
inews lossage: response to sri-unix.425
					5 Jan 82 (despite the header)
Problem:
(where % is $ if you are an sh person)
% chmod 0600 foo.bar
% inews -u foo.bar -n net.movies -t "blah"
inews: Cannot open foo.bar (r). 

Solution:
% inews -n net.movies -t "blah" < foo.bar

The trouble is that inews is setuid "glickman",
-rwsr-sr-x 2 glickman  48902 Dec 19 18:58 /usr/ucb/bin/inews
( rws instead of rwx )
where glickman is the local news administrator.
(change glickman to whatever user name you use locally
for this program)
(Here, you will note, it is also setgid--I'm not sure why.)

Thus, while you are using the program, you have the permissions
of "newsperson", not your own permissions.  If you do <, on the
other hand, it is the shell which opens foo.bar for reading,
rather than inews, so it does so with your permissions.

There are several alternative solutions.  One would be to make inews
setuid root and then use an access call to check whether the real
user has permission to read the file.  The trouble with this is
that this assumes that it is known that inews has no security bugs.

Another alternative solution would be to fork a process which would
then do a setuid(getuid()) call and pipe the file in.  Of course,
this means an extra load on the system.

					Joel Rubin