news@rlvd.UUCP (03/11/87)
Recently there was a discussion in this group about whether NFS or NNTP was the best system for news reading with a "server" machine and many "clients". I have a question. If NFS is used for this, ie mount the news spool directory on the client machines, does this cause any security problems? To be more specific if the news spool directory is owned by root on the server machine then the clients cannot post news; if it is not then anyone can write into it. How have those sites that use NFS got around this problem? Are you happy to let your clients read news but not post it, or do you not mind anyone being able to write into your news spool directory on the server machine? I can think of no simple solution to this problem. How have you done it? Ian Gunn UK JANET : ian@uk.ac.rl.vd Rutherford Appleton Laboratory UUCP : ..!mcvax!ukc!rlvd!ian Chilton, Didcot, Oxon OX11 0QX ARPA : @ucl.cs.arpa:ian@vd.rl.ac.uk England. 'phone : (0235) 21900 ext: 5707
trinkle@arthur.cs.purdue.edu.UUCP (03/16/87)
We successfully use news via NFS allowing posting from all machines.
We mount /usr/spool/news on all machines (I encourage read-only mount
option) that want news access. The trick is to have a version of
inews on the non-server machines that is setuid news and does an rsh
to the "real" news machine. This is how I have things set up. Arthur
is the main news server (VAX 8600), Bors is a typical client (Sun).
/* the spool directory */
arthur 51: ls /usr/spool/news
batch/ junk/ maps/ news/ sci/
comp/ lib/ misc/ purdue/ soc/
control/ lost+found/ mod/ rec/ talk/
/* the local lib directory */
arthur 52: ls -l /usr/local/lib/news
ls -l /usr/local/lib/news
lrwxrwxrwx 1 root 19 Nov 19 12:11 /usr/local/lib/news@ -> /usr/spool/news/lib
/* the remote lib directory */
arthur 53: rsh bors ls -Flg /usr/local/lib/news
total 146
lrwxrwxrwx 1 root staff 26 Mar 12 16:25 active -> /usr/spool/news/lib/active
lrwxrwxrwx 1 root staff 27 Mar 12 16:25 aliases -> /usr/spool/news/lib/aliases
-rwxrwxr-x 1 root staff 90112 Mar 12 16:29 caesar*
lrwxrwxrwx 1 root staff 33 Mar 12 17:07 distributions -> /usr/spool/news/lib/distributions
-r--r--r-- 1 root staff 1077 Mar 12 16:27 help
-rwsr-sr-x 1 news daemon 49152 Mar 12 16:27 inews*
lrwxrwxrwx 1 root staff 24 Mar 12 16:25 maps -> /usr/spool/news/lib/maps/
lrwxrwxrwx 1 root staff 30 Mar 12 16:25 moderators -> /usr/spool/news/lib/moderators
lrwxrwxrwx 1 root staff 30 Mar 12 16:25 newsgroups -> /usr/spool/news/lib/newsgroups
-r--r--r-- 1 root staff 1300 Mar 12 16:27 vnews.help
arthur 54:
Notice that /usr/spool/news/lib can be shared with everyone. I then
install the normal {check,post,read,v}news utilities in
/usr/local/bin. Here is the source for the remote inews
------------------------------inews.c------------------------------
#include <stdio.h>
#include <pwd.h>
#include <strings.h>
#include <sys/param.h>
#include <sys/types.h>
#ifdef sun
#define MAXHOSTNAMELEN 64
#endif
char *sbProgName;
main(csbArg, rgsbArg)
int csbArg;
char *rgsbArg[];
{
char *sbLogin, *pch;
char sbCmd[2048], sbThisHost[MAXHOSTNAMELEN + 1];
int status;
struct passwd *ppwe;
sbProgName = rgsbArg[0];
if (pch = rindex(rgsbArg[0], '/'))
sbProgName = pch + 1;
/* get the name of this host */
if (gethostname(sbThisHost, MAXHOSTNAMELEN))
ErrorExit("this machine does not have a name");
/* get /etc/passwd entry for this user */
if ((ppwe = getpwuid(getuid())) == NULL)
ErrorExit("you do not exist on this machine");
/* some bogosities to get rid of phone numbers, etc */
if (pch = index(ppwe->pw_gecos, ','))
*pch = '\0';
if (pch = index(ppwe->pw_gecos, ';'))
*pch = '\0';
/* do the rsh as news */
if (setuid(geteuid()))
ErrorExit("cannot set userid");
if (setgid(getegid()))
ErrorExit("cannot set groupid");
sprintf(sbCmd, "/usr/ucb/rsh %s %s/inews -h -f \\\"%s@%s \\(%s\\)\\\"",
NEWSHOST, LIBDIR, ppwe->pw_name, sbThisHost, ppwe->pw_gecos);
exit(system(sbCmd) ? 1 : 0);
}
ErrorExit(sb)
char *sb;
{
fflush(stdout);
fprintf(stderr, "%s: %s\n", sbProgName, sb);
exit(1);
}
------------------------------inews.c------------------------------
It is not very secure, but then we are not too concerned with the
security of news articles.
Daniel Trinkle trinkle@cs.purdue.edu ARPA
Computer Science Department trinkle%purdue.edu@relay.cs.net CSNET
Purdue University {ucbvax,decvax,ihnp4}!purdue!trinkle UUCP
West Lafayette, IN 47907 (317) 494-7832 PHONE
--
Daniel Trinkle trinkle@cs.purdue.edu ARPA
Computer Science Department trinkle%purdue.edu@relay.cs.net CSNET
Purdue University {ucbvax,decvax,ihnp4}!purdue!trinkle UUCP
West Lafayette, IN 47907 (317) 494-7832 PHONE