Return to BSD News archive
Path: sserve!newshost.anu.edu.au!harbinger.cc.monash.edu.au!simtel!news.sprintlink.net!howland.reston.ans.net!math.ohio-state.edu!news.cyberstore.ca!vanbc.wimsey.com!fonorola!milkyway.com!not-for-mail
From: mcr@metis.milkyway.com (Michael Richardson)
Newsgroups: comp.unix.bsd.bsdi.misc
Subject: Re: rnews setgid error/uucp feed
Date: 7 Jul 1995 14:44:53 -0400
Organization: Milkyway Networks Corporation, Ottawa, ON
Lines: 180
Message-ID: <3tjvb5$olp@metis.milkyway.com>
References: <nwh.85.00155D1D@tde.com>
NNTP-Posting-Host: metis.milkyway.com
Keywords: rnews setgid uucp inn posting
In article <nwh.85.00155D1D@tde.com>, Nathan W. Harrington <nwh@tde.com> wrote:
>when rnews tries to post the article (after receiving it via uucp), it returns
>'rnews: cant setgid to 8 Operation not permitted'. Group 8 is news.
setgid is essentially restricted to root. /bin/rnews is usually
setuid news, not setuid root. This, with the addition of the POSIX
rules for setuid, make setuid non-root almost useless.
I ran into a similar problem on a NetBSD 1.0 system. It could not
open the AF_UNIX socket to innd when it was started by uucp.
oopps... some of my debugging is still in there. You get the drift.
I made /bin/rnews setuid root.
*** rnews.c-orig Wed Apr 19 13:59:56 1995
--- rnews.c Mon Jun 12 22:10:17 1995
***************
*** 38,44 ****
STATIC char SPOOLTEMP[] = _PATH_SPOOLTEMP;
STATIC FILE *FromServer;
STATIC FILE *ToServer;
! STATIC char UNPACK[] = "news-unpack";
STATIC HEADER RequiredHeaders[] = {
{ "Message-ID", 10 },
#define _messageid 0
--- 38,44 ----
STATIC char SPOOLTEMP[] = _PATH_SPOOLTEMP;
STATIC FILE *FromServer;
STATIC FILE *ToServer;
! STATIC char UNPACK[] = "compress";
STATIC HEADER RequiredHeaders[] = {
{ "Message-ID", 10 },
#define _messageid 0
***************
*** 372,377 ****
--- 372,378 ----
/* Turn the descriptor into a stream. */
if ((F = fdopen(fd, "r")) == NULL) {
syslog(L_FATAL, "can't fdopen %d %m", fd);
+ fprintf(stderr,"can not fdopen %d, %s",fd,strerror(errno));
exit(1);
}
***************
*** 388,393 ****
--- 389,395 ----
(SIZE_T)left, F)) != 0) {
if (i < 0) {
syslog(L_FATAL, "cant fread after %d bytes %m", used);
+ fprintf(stderr,"can not fread after %d bytes %s",used,strerror(errno));
exit(1);
}
used += i;
***************
*** 559,564 ****
--- 561,567 ----
syslog(L_ERROR, "nested_cunbatch");
return FALSE;
}
+ fprintf(stderr,"Starting uncompress\n");
cargv[0] = UNPACK;
cargv[1] = "-d";
cargv[2] = NULL;
***************
*** 699,707 ****
--- 702,712 ----
int status;
TempName(SPOOLTEMP, temp);
+ fprintf(stderr,"Spooltemp: %s",temp);
(void)umask(0);
if ((spfd = open(temp, O_WRONLY | O_CREAT, BATCHFILE_MODE)) < 0) {
syslog(L_FATAL, "cant open %s %m", temp);
+ fprintf(stderr,"can not open %s; %s",temp,strerror(errno));
exit(1);
}
***************
*** 734,739 ****
--- 739,745 ----
syslog(L_FATAL, "cant rename %s to %s %m", temp, buff);
status++;
}
+ fprintf(stderr,"exit %d",status);
exit(status);
/* NOTREACHED */
}
***************
*** 808,824 ****
int mode;
char buff[SMBUF];
char *Slave;
/* First thing, set up logging and our identity. */
openlog("rnews", L_OPENLOG_FLAGS, LOG_INN_PROG);
! if (setgid(getegid()) < 0) {
! syslog(L_FATAL, "cant setgid to %d %m", getegid());
exit(1);
}
! if (setuid(geteuid()) < 0) {
syslog(L_FATAL, "cant setuid to %d %m", geteuid());
exit(1);
}
UUCPHost = getenv(_ENV_UUCPHOST);
(void)umask(NEWSUMASK);
--- 814,850 ----
int mode;
char buff[SMBUF];
char *Slave;
+ static char INNDDIR[] = _PATH_INNDDIR;
+ GID_T NewsGID;
+ UID_T NewsUID;
+ struct stat Sb;
/* First thing, set up logging and our identity. */
openlog("rnews", L_OPENLOG_FLAGS, LOG_INN_PROG);
!
! /* get right ids ... */
! if (stat(INNDDIR, &Sb) < 0 || !S_ISDIR(Sb.st_mode)) {
! syslog(L_FATAL, "rnews cant stat %s %m", INNDDIR);
! exit(1);
! }
! NewsUID = Sb.st_uid;
! NewsGID = Sb.st_gid;
!
! /* Set our user and group id. */
! (void)setgid(NewsGID);
! if (getgid() != NewsGID)
! {
! syslog(L_FATAL, "cant setgid to %d %m", NewsGID);
exit(1);
}
!
! (void)setuid(NewsUID);
! if (getuid() != NewsUID)
! {
syslog(L_FATAL, "cant setuid to %d %m", geteuid());
exit(1);
}
+
UUCPHost = getenv(_ENV_UUCPHOST);
(void)umask(NEWSUMASK);
***************
*** 847,852 ****
--- 873,880 ----
ac -= optind;
av += optind;
+ fprintf(stderr,"Rnews starting\n");
+
/* Parse arguments. At most one, the input file. */
switch (ac) {
default:
***************
*** 873,878 ****
--- 901,907 ----
}
else {
#if defined(DO_RNEWSLOCALCONNECT)
+ fprintf(stderr,"Doing NNTPlocalopen\n");
if (NNTPlocalopen(&FromServer, &ToServer, buff) < 0) {
/* If server rejected us, no point in continuing. */
if (buff[0])
***************
*** 892,897 ****
--- 921,927 ----
if (mode == 'U')
Unspool();
else {
+ fprintf(stderr,"UnpackOne\n");
if (!UnpackOne(&fd, &i))
Spool(fd);
WaitForChildren(i);
--
:!mcr!: | <A HREF="http://www.milkyway.com/">Milkyway Networks Corporation</A>
Michael Richardson | Makers of the Black Hole firewall
NCF: aa714 || xx714 | +1 613 566-4574 ... mcr@milkyway.com
Home: <A HREF="http://www.sandelman.ocunix.on.ca/People/Michael_Richardson/Bio.html">mcr@sandelman.ocunix.on.ca</A>. PGP key available.