Bug 17496 - Improper file permissions in /var/spool/news
Summary: Improper file permissions in /var/spool/news
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: inn
Version: 7.1
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Florian La Roche
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2000-09-14 10:16 UTC by Enrico Scholz
Modified: 2008-05-01 15:37 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2000-09-14 10:16:59 UTC
Embargoed:


Attachments (Terms of Use)

Description Enrico Scholz 2000-09-14 10:16:40 UTC
inn has the capability to authenticate users. So it's possible to put
sensitive data into local newsgroups (e.g. postings from maillists).

Because the whole /var/spool/news hierarchy is world-readable:

$ rpm -ql -vv inn
...
drwxrwxr-x    1 news    news             4096 Sep 14 05:28 /var/spool/news
drwxrwxr-x    1 news    news             4096 Sep 14 05:28
/var/spool/news/archive
...

a local user without rights to read the NNTP-spool can do it anyhow by
going into this directory and reading the raw-data

I suggest to remove the world-readability

Comment 1 Florian La Roche 2001-01-22 12:53:21 UTC
I'd like to leave the spool dir public readable. Please consider using
a new machine or chaning the perms just on that one box instead of
making this change within the standard rpm of Red Hat.


Note You need to log in before you can comment on or make changes to this bug.