17496 – Improper file permissions in /var/spool/news

Bug 17496 - Improper file permissions in /var/spool/news

Summary: Improper file permissions in /var/spool/news

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Linux
Classification:	Retired
Component:	inn
Sub Component:
Version:	7.1
Hardware:	i386
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Florian La Roche
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2000-09-14 10:16 UTC by Enrico Scholz
Modified:	2008-05-01 15:37 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2000-09-14 10:16:59 UTC
Embargoed:

Attachments	(Terms of Use)

Description Enrico Scholz 2000-09-14 10:16:40 UTC

inn has the capability to authenticate users. So it's possible to put
sensitive data into local newsgroups (e.g. postings from maillists).

Because the whole /var/spool/news hierarchy is world-readable:

$ rpm -ql -vv inn
...
drwxrwxr-x    1 news    news             4096 Sep 14 05:28 /var/spool/news
drwxrwxr-x    1 news    news             4096 Sep 14 05:28
/var/spool/news/archive
...

a local user without rights to read the NNTP-spool can do it anyhow by
going into this directory and reading the raw-data

I suggest to remove the world-readability

Comment 1 Florian La Roche 2001-01-22 12:53:21 UTC

I'd like to leave the spool dir public readable. Please consider using
a new machine or chaning the perms just on that one box instead of
making this change within the standard rpm of Red Hat.

Note You need to log in before you can comment on or make changes to this bug.