dave@lsuc.UUCP (01/30/87)
It's no big secret that there are lots of holes on netnews.
For news administrators who are concerned about such things,
however, the spooling and batching mechanisms provide places
where someone could construct an article which appeared to
come from anyone, and leave it to get posted automatically.
1. If /usr/spool/news/.rnews (SPOOLDIR) is generally writeable,
anyone can leave an article there for processing.
2. If /usr/spool/news/batch (BATCHDIR) is writeable, or its individual
files are (i.e., system names), anyone can stick in a reference to
their own file or some file in /tmp (i.e., the file names waiting
to be batched don't have to be in /usr/spool/news), and that file
will get transferred as incoming news to the system in question.
Tightening up permissions on these directories should be possible,
but you have to at least make sure that sendbatch is run by news,
since sendbatch rm's the files in BATCHDIR. rnews is already setUID,
so should be able to handle a protected SPOOLDIR, I think.
David Sherman
The Law Society of Upper Canada
Toronto
--
{ seismo!mnetor cbosgd!utcs watmath decvax!utcsri ihnp4!utzoo } !lsuc!dave