Bug 20826

Summary: inn should NOT install cron files owned by user "news"!
Product: [Retired] Red Hat Linux Reporter: Chris Evans <chris>
Component: innAssignee: Florian La Roche <laroche>
Status: CLOSED RAWHIDE QA Contact: David Lawrence <dkl>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.0CC: dr, henris, jarno.huuskonen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2000-12-03 16:12:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Chris Evans 2000-11-14 11:43:38 UTC
Hi,

If you look in /etc/cron.* (hourly, monthly, etc)., there are some files owned by
user news.

I could be wrong, but doesn't this make user news equivalent to user root?

These cron files should be owner by user root, group root.

Note that there have been plenty of user news compromises in the past!

Comment 1 Henri Schlereth 2000-12-03 16:12:01 UTC
Additionally, on an upgrade the news.crit, news.err, news.notice retain root ownership settings and inn(news) cannot access them.
6.2 -->7.0

Comment 2 Florian La Roche 2001-01-22 13:07:44 UTC
Should all be resolved with next rpm in rawhide. Thanks a lot
for this report.

Comment 3 Daniel Roesen 2001-01-22 13:28:23 UTC
Isn't that issue a candidate for a security errata update?