Red Hat Bugzilla – Bug 17496
Improper file permissions in /var/spool/news
Last modified: 2008-05-01 11:37:58 EDT
inn has the capability to authenticate users. So it's possible to put
sensitive data into local newsgroups (e.g. postings from maillists).
Because the whole /var/spool/news hierarchy is world-readable:
$ rpm -ql -vv inn
drwxrwxr-x 1 news news 4096 Sep 14 05:28 /var/spool/news
drwxrwxr-x 1 news news 4096 Sep 14 05:28
a local user without rights to read the NNTP-spool can do it anyhow by
going into this directory and reading the raw-data
I suggest to remove the world-readability
I'd like to leave the spool dir public readable. Please consider using
a new machine or chaning the perms just on that one box instead of
making this change within the standard rpm of Red Hat.