cfv@packet.UUCP (06/02/83)
I seem to have found a bug in the inews source module control.c. When I am
running as superuser (as defined by ROOTID in defs.h) and I want to globally
cancel an article created on my system by someone else, I was unable to do
so. When I tracked it down, in the function cancel() I found the following
code line:
if((uid==ROOTID||uid==0) && strncmp(msgng,"to.",3) == 0)
su = 1;
What this does is check to see if your effective id (so su works) is ROOTID
or if your are root AND if the message is to 'to.*'. This means that unless
the message I am cancelling is going to 'to.foobar' superuser is never set
for the cancel command, so I cannot even cancel something out of general.
I have changed this to look like:
if((uid==ROOTID||uid==0))
su = 1;
which removes the message group restriction. This may or may not be a problem
at your site, and it may not even be a bug (without it it doesn't seem to
work as advertised, but I am new to this software).
One final comment. I question the (uid==0) check for cancel privileges. If
I remember the documentation properly there is no notice that root has
su privileges, and a comment that superuser does not have to be root. In
many cases the person maintaining news will be the person on root, but I
don't believe it is guaranteed and I definitely don't think it is safe to
hard code superuser to root into the program and not document it because it
becomes possible for a non-privileged root to accidently cancel someone
elses message without knowing it or even realizing he is privileged. I have't
pulled this check out of my system yet, but I would like to hear someone
justify it or tell me that my analysis is incorrect.
chuck
ucbvax!amd70!packet!cfvka@spanky.UUCP (06/03/83)
If you didn't write an article, you can still delete it on your machine if you are the netnews administrator, but you can't delete it on other people's machines. This seems fairly reasonable to me. As for your "non-privileged root": if you log in as root on UNIX you can do *anything*; that is the whole point of a root login. If somebody just wants to read news they can do it without being logged in as root. Kenneth Almquist