ant@brolga.cc.uq.oz.au (Anthony Murdoch) (07/24/90)
Greetings nntp/cnews administrators everywhere, I'd like to take you if I may, ...... , on a strange journey. This is the story of "The Phantom 'chown'er." It all started a couple of weeks ago, when I changed from nntp 1.5.5 to 1.5.9 . After some initial teething problems, everything appeared to be working happily. And then it happened. A seemingly random file (actually a directory) was being chowned to news.news at apparently random intervals. After some investigation, we found that the Phantom was working in close cahoots (sp?) with the nntpd. Everytime that nntpd was started by inetd, the file was being chowned, not just once, but quite often as when we chowned the file back, it would chown it again to news.news before we could even look at it. I hear you ask, "What was the files name ?" Well here it gets eveen weirder. The directory was initially "/usr/local/src/cops", but even when we changed the the name of the directory, it was still coming under attack from the Phantom. So it seemed that the Phantom was working on an i-node that something was giving it. At first we put it off as a not terribly important problem, just an irritating one, but then on Friday we found that it had changed its prey to the root directory. After a little bit of looking around today we think we have found out the Phantom's terrible secret. When we ran "trace -p" on the nntpd process as it ran, we noticed that it was making calls to chown with an empty string. From there it wasn't to had to track it down to "batch.c" (there are only 2 places in the server where chown are called from). Below I have included a quick patch until it is included into a future patch level. BTW, has anyone else noticed this strange behavior ? It seems a weird thing for chown to do when given an empty string. ant root-[brolga] diff -c batch.c batch.c.old *** batch.c Tue Jul 24 16:42:23 1990 --- batch.c.old Thu Jul 5 17:29:11 1990 *************** *** 88,95 **** if (!cpstdin(cont_code, err_code, errbuf)) /* may create tempfile */ return 0; #ifdef POSTER ! if (tempfile[0]) ! (void) chown(tempfile, uid_poster, gid_poster); #endif status = appbatch(); if (tempfile[0] != '\0') --- 88,94 ---- if (!cpstdin(cont_code, err_code, errbuf)) /* may create tempfile */ return 0; #ifdef POSTER ! (void) chown(tempfile, uid_poster, gid_poster); #endif status = appbatch(); if (tempfile[0] != '\0') -- V ant "It's great to be young and insane" \o/ ant@brolga.cc.uq.oz.au - Dream Team -O- Anthony Murdoch Prentice Computer Centre /0\ Phone (07) 3774078 University of Qld
Makey@Logicon.COM (Jeff Makey) (07/24/90)
On UNIX 4.2 BSD, at least, chown() on a zero-length file name changes the ownership of the current directory. This is easy to demonstrate. :: Jeff Makey Department of Tautological Pleonasms and Superfluous Redundancies Department Disclaimer: All opinions are strictly those of the author. Internet: Makey@Logicon.COM UUCP: {nosc,ucsd}!logicon.com!Makey
ant@brolga.cc.uq.oz.au (Anthony Murdoch) (07/26/90)
Makey@Logicon.COM (Jeff Makey) writes: >On UNIX 4.2 BSD, at least, chown() on a zero-length file name changes >the ownership of the current directory. This is easy to demonstrate. I have been told this. I would be prepared to believe it for SunOS 4.1 except that I cannot work out what nntpd was doing in the directory /usr/local/src/cops Also, why did it change this to /usr/local/src/cops when we changed the name (I suppose we may have moved it while nntpd was actually running ?) It's a fun one in any case. ant -- V ant "It's great to be young and insane" \o/ ant@brolga.cc.uq.oz.au - Dream Team -O- Anthony Murdoch Prentice Computer Centre /0\ Phone (07) 3774078 University of Qld
marc@uni-paderborn.de (Marc Gumbold) (08/03/90)
ant@brolga.cc.uq.oz.au (Anthony Murdoch) writes: >Greetings nntp/cnews administrators everywhere, >I'd like to take you if I may, ...... , on a strange journey. This is the >story of "The Phantom 'chown'er." >It all started a couple of weeks ago, when I changed from nntp 1.5.5 to >1.5.9 . After some initial teething problems, everything appeared to be >working happily. And then it happened. >A seemingly random file (actually a directory) was being chowned to news.news >at apparently random intervals. After some investigation, we found that the >Phantom was working in close cahoots (sp?) with the nntpd. Everytime that [most interesting story deleted] >BTW, has anyone else noticed this strange behavior ? It seems a weird thing >for chown to do when given an empty string. God! It happens to our root directory and did happen to some of the dir's under /. Who knows which other directories may be affected... I don't dare looking it up... but root is annoying enough anyway. I've had no idea so far. I examined my C-News software, but with no obvious success. Next candidate would have been nntp, of course. We're running 1.5.8. Boy, am I glad I'm not the only one with that problem in the world. I'll try your patch. Thank you very very much for posting. Marc -- Marc Gumbold EMail: marc@uni-paderborn.de Phone: +49 5251 60 3803 Snail: Uni-GH Paderborn, FB17i, 4790 Paderborn, W. Germany