Newsgroups: comp.sys.3b1
Path: utzoo!utgpu!cunews!micor!latour!ecicrl!clewis
From: clewis@ferret.ocunix.on.ca (Chris Lewis)
Subject: Re: COPS security audit and the unix pc.
Message-ID: <1991Apr03.201214.8915@ferret.ocunix.on.ca>
Date: Wed, 03 Apr 91 20:12:14 GMT
References: <1991Mar23.004007.2024@shibaya.lonestar.org> <1991Mar26.225255.6048@ferret.ocunix.on.ca> <563@iczer-1.UUCP>
Organization: Elegant Communications Inc, Ottawa, Canada

In article <563@iczer-1.UUCP> emm@iczer-1.UUCP (Edward M. Markowski) writes:
>In article <1991Mar26.225255.6048@ferret.ocunix.on.ca> clewis@ferret.ocunix.on.ca (Chris Lewis) writes:
>>>chmod o-w ... /usr/spool/news

>>Unless you're using C-news, you just broke your news system.  Aha, you
>>ARE using C-news (/usr/lib/newsbin).  Consider this a warning to anybody
>>else reading this article - if you're running B-news, do NOT make /usr/spool/news
>>or /usr/lib/news anything other than 777.  Sigh...

>In one of the header files in the news distribution(sp?) there is a
>constant that will allow the lib and spool directories to be set to
>755, the articles to be created 644 and the spool dirs 755.  I do not
>rember which header and constant but it is documented there or in the
>Nutshell book Managing UUCP and USENET.

It's in the defs.h for B news.  However, it won't work on System V systems
because of the way setuid/setgid programs, setuid()/setgid() and mkdir
works.  (as in, if a setuid program calls mkdir, the directory ends up
being owned by the real user not the effective, rnews can't write
into it, and there's no "elegant" way around it in System V)  Which is why
C-news goes to all of the kludgey junk for the "setnewsids" program which
runs as setuid root to run relaynews properly.

Bnews has no such kludge, though you could retrofit setnewsids if you wanted.
-- 
Chris Lewis,
clewis@ferret.ocunix.on.ca or ...uunet!mitel!cunews!latour!ecicrl!clewis
Psroff support: psroff-request@eci386.uucp, or call 613-832-0541 (Canada)
**** somebody's mailer is appending .bitnet to my From: address.  If you
see this, please use the address in the signature, and send me a copy
of the headers of the mail message with the .bitnet return address.  Thanks!
