Bug 17496

Summary: Improper file permissions in /var/spool/news
Product: [Retired] Red Hat Linux Reporter: Enrico Scholz <rh-bugzilla>
Component: innAssignee: Florian La Roche <laroche>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 7.1Keywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2000-09-14 10:16:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Enrico Scholz 2000-09-14 10:16:40 UTC 
inn has the capability to authenticate users. So it's possible to put
sensitive data into local newsgroups (e.g. postings from maillists).

Because the whole /var/spool/news hierarchy is world-readable:

$ rpm -ql -vv inn
...
drwxrwxr-x    1 news    news             4096 Sep 14 05:28 /var/spool/news
drwxrwxr-x    1 news    news             4096 Sep 14 05:28
/var/spool/news/archive
...

a local user without rights to read the NNTP-spool can do it anyhow by
going into this directory and reading the raw-data

I suggest to remove the world-readability
Comment 1 Florian La Roche 2001-01-22 12:53:21 UTC 
I'd like to leave the spool dir public readable. Please consider using
a new machine or chaning the perms just on that one box instead of
making this change within the standard rpm of Red Hat.