cfv@packet.UUCP (06/02/83)
I seem to have found a bug in the inews source module control.c. When I am running as superuser (as defined by ROOTID in defs.h) and I want to globally cancel an article created on my system by someone else, I was unable to do so. When I tracked it down, in the function cancel() I found the following code line: if((uid==ROOTID||uid==0) && strncmp(msgng,"to.",3) == 0) su = 1; What this does is check to see if your effective id (so su works) is ROOTID or if your are root AND if the message is to 'to.*'. This means that unless the message I am cancelling is going to 'to.foobar' superuser is never set for the cancel command, so I cannot even cancel something out of general. I have changed this to look like: if((uid==ROOTID||uid==0)) su = 1; which removes the message group restriction. This may or may not be a problem at your site, and it may not even be a bug (without it it doesn't seem to work as advertised, but I am new to this software). One final comment. I question the (uid==0) check for cancel privileges. If I remember the documentation properly there is no notice that root has su privileges, and a comment that superuser does not have to be root. In many cases the person maintaining news will be the person on root, but I don't believe it is guaranteed and I definitely don't think it is safe to hard code superuser to root into the program and not document it because it becomes possible for a non-privileged root to accidently cancel someone elses message without knowing it or even realizing he is privileged. I have't pulled this check out of my system yet, but I would like to hear someone justify it or tell me that my analysis is incorrect. chuck ucbvax!amd70!packet!cfv
ka@spanky.UUCP (06/03/83)
If you didn't write an article, you can still delete it on your machine if you are the netnews administrator, but you can't delete it on other people's machines. This seems fairly reasonable to me. As for your "non-privileged root": if you log in as root on UNIX you can do *anything*; that is the whole point of a root login. If somebody just wants to read news they can do it without being logged in as root. Kenneth Almquist