dave@lsuc.UUCP (01/30/87)
It's no big secret that there are lots of holes on netnews. For news administrators who are concerned about such things, however, the spooling and batching mechanisms provide places where someone could construct an article which appeared to come from anyone, and leave it to get posted automatically. 1. If /usr/spool/news/.rnews (SPOOLDIR) is generally writeable, anyone can leave an article there for processing. 2. If /usr/spool/news/batch (BATCHDIR) is writeable, or its individual files are (i.e., system names), anyone can stick in a reference to their own file or some file in /tmp (i.e., the file names waiting to be batched don't have to be in /usr/spool/news), and that file will get transferred as incoming news to the system in question. Tightening up permissions on these directories should be possible, but you have to at least make sure that sendbatch is run by news, since sendbatch rm's the files in BATCHDIR. rnews is already setUID, so should be able to handle a protected SPOOLDIR, I think. David Sherman The Law Society of Upper Canada Toronto -- { seismo!mnetor cbosgd!utcs watmath decvax!utcsri ihnp4!utzoo } !lsuc!dave