Newsgroups: news.software.b
Path: utzoo!henry
From: henry@zoo.toronto.edu (Henry Spencer)
Subject: Re: "fascist" option (or posting security)
Message-ID: <1991May1.211353.346@zoo.toronto.edu>
Date: Wed, 1 May 1991 21:13:53 GMT
References: <1991Apr26.070028.705000@zeus.calpoly.edu> <17196@celit.fps.com> <1991May1.124919.8706@ohm.york.ac.uk>
Organization: U of Toronto Zoology

In article <1991May1.124919.8706@ohm.york.ac.uk> nigelm@ohm.york.ac.uk (Nigel Metheringham) writes:
>So, why can't we knock the setuid bits off relaynews, and then add a
>small setuid (news) program (maybe called injectnews), which is the
>one called by inews...
>injectnews checks the current UID against a stop list (or for the
>really fascist, against a valid posters list).  If it accepted
>someone then it could be passed on to relaynews...

It's a viable approach.  However, you need to be careful to guard against
several other back doors.  For example, on a system named (say) utzoo, it
is quite possible to do

	cat myarticle | uux - utzoo!rnews

and have the article processed as if it came in from outside.
-- 
And the bean-counter replied,           | Henry Spencer @ U of Toronto Zoology
"beans are more important".             |  henry@zoo.toronto.edu  utzoo!henry
