Newsgroups: news.software.b
Path: utzoo!henry
From: henry@zoo.toronto.edu (Henry Spencer)
Subject: Re: I need help with a relaynews problem...
Message-ID: <1991Feb21.171246.10196@zoo.toronto.edu>
Organization: U of Toronto Zoology
References: <365@camdev.comm.mot.com?> <1991Feb19.214903.22845@zoo.toronto.edu> <1991Feb21.042744.26770@wsrcc.com>
Date: Thu, 21 Feb 1991 17:12:46 GMT

In article <1991Feb21.042744.26770@wsrcc.com> wolfgang@wsrcc.com (Wolfgang S. Rupprecht) writes:
>relaynews didn't like the $NEWSUMASK environment variable it was
>passed.  Grumble.  If it doesn't like the recommended umask why didn't
>it just *ignore* the recommendation?  As it is, relaynews seems to use
>any excuse to revoke its setuid privileges and then fail ...

It didn't just ignore the recommended umask because there was presumably
a reason for the recommendation.  However, it did renounce setuid because
it couldn't accept the recommendation without opening up the possibility
of security holes.  The ability to override the configuration parameters
with environment variables is useful for many things, but it does open
up vulnerabilities if it's not done carefully.

>Oh, the source of the incorrect umask?  Apparently .../news/bin/conf
>was never updated (a local build permissions problem???).  Relaynews
>"knew" the correct umask to use since this knowledge was compiled in...

There are some tricky problems with updating the configuration information,
since it has to be updated in more than one place.  A fix for this is being
thought about.
-- 
"Read the OSI protocol specifications?  | Henry Spencer @ U of Toronto Zoology
I can't even *lift* them!"              |  henry@zoo.toronto.edu  utzoo!henry
