Path: utzoo!utstat!helios.physics.utoronto.ca!jarvis.csri.toronto.edu!mailrus!usenet.ins.cwru.edu!cwjcc!ncoast!allbery
From: allbery@NCoast.ORG (Brandon S. Allbery)
Newsgroups: news.software.b
Subject: Re: setuid relaynews in C news
Message-ID: <1990Feb6.031100.29454@NCoast.ORG>
Date: 6 Feb 90 03:11:00 GMT
References: <1990Feb2.024254.18816@lighthouse.com> <1990Feb2.165403.17374@utzoo.uucp> <1990Feb5.032137.4854@NCoast.ORG> <1990Feb5.171912.8316@utzoo.uucp>
Reply-To: allbery@ncoast.ORG (Brandon S. Allbery)
Followup-To: news.software.b
Organization: North Coast Public Access UN*X, Cleveland, OH
Lines: 24

As quoted from <1990Feb5.171912.8316@utzoo.uucp> by henry@utzoo.uucp (Henry Spencer):
+---------------
|In article <1990Feb5.032137.4854@NCoast.ORG> allbery@ncoast.ORG (Brandon S. Allbery) writes:
|>Wouldn't it be better to allow /usr/lib/news/bin/config to override the C
|>pathname functions, and only renounce setuid if either a) the environment is
|>used to override it or b) an alternative config file is specified, presumably
|>via the environment or a (new) command-line option? ...
| 
| The problem is that the C configuration stuff came first, and .../bin/config
| was somewhat of an afterthought.  I am in the process of rethinking this.
| You're correct that there is no hazard unless (a) or (b) is involved.
| 
| There is a lesser problem in that things like manual pages know the paths,
| and it's not so easy for them to pick up the config file.
+---------------

Considering the number of Usenet-distributed manpages I have that contain
hard-coded references to e.g. /usr/ucb/* (with the sole exception of UUNET,
I use only System III/V-based systems), I'm not too worried about this.

++Brandon
-- 
Brandon S. Allbery    allbery@NCoast.ORG, BALLBERY (MCI Mail), ALLBERY (Delphi)
      uunet!cwjcc.cwru.edu!ncoast!allbery ncoast!allbery@cwjcc.cwru.edu