Bug 17496 - Improper file permissions in /var/spool/news
Improper file permissions in /var/spool/news
Status: CLOSED NOTABUG
Product: Red Hat Linux
Classification: Retired
Component: inn (Show other bugs)
7.1
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Florian La Roche
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2000-09-14 06:16 EDT by Enrico Scholz
Modified: 2008-05-01 11:37 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2000-09-14 06:16:59 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Enrico Scholz 2000-09-14 06:16:40 EDT
inn has the capability to authenticate users. So it's possible to put
sensitive data into local newsgroups (e.g. postings from maillists).

Because the whole /var/spool/news hierarchy is world-readable:

$ rpm -ql -vv inn
...
drwxrwxr-x    1 news    news             4096 Sep 14 05:28 /var/spool/news
drwxrwxr-x    1 news    news             4096 Sep 14 05:28
/var/spool/news/archive
...

a local user without rights to read the NNTP-spool can do it anyhow by
going into this directory and reading the raw-data

I suggest to remove the world-readability
Comment 1 Florian La Roche 2001-01-22 07:53:21 EST
I'd like to leave the spool dir public readable. Please consider using
a new machine or chaning the perms just on that one box instead of
making this change within the standard rpm of Red Hat.

Note You need to log in before you can comment on or make changes to this bug.