Prev: timout binary question
Next: What am I doing wrong ?
From: Barnabyh on 21 Jun 2010 19:07 Hi group, I;ve recently discovered slrn and slrnpull for news reading as some of you may recall from the "news server" thread about local news serving needs. Currently I'm alternating between Claws-Mail and slrn. I have a question in regards to security though. As slrnpull needs to run as root or under sudo in crontab, what are the chances of a potential security hole affecting/ escalating into the whole system. I have so far only found problems relating to older versions in around 2000/2001 pertaining to versions 0.9.6.2 and 0.9.6.3 (securiteam.com, linuxsecurity.com). Apart from keeping an eye on this sort of thing and trusting the appearance of official updates, would it not be better to run slrnpull non-root? Is it possible to achieve this? Thanx, Barnaby Barnabyh -- The general public is a bunch of morons who destroy the fun and life in everything it collectively touches. Disney is what the public wants. NASCAR is what the public wants. Windows is what the public wants. (Slashdot, Monday March 28 2005, Gnome Removed From Slackware.)
From: Ewald Pfau on 22 Jun 2010 06:25 Barnabyh <usenet(a)spamtrap.org>: > As slrnpull needs to run as root Something with your setup must be quite different from my setup - there ist no root involved here with slrnpull - everything is handled below user 'news'. Maybe it changes things a bit, if newsspool is to be exported, so, if file access has been configured, instead of access via a tiny internal newsserver. As I access news only, when having logged-in as user 'news', I use file access and do not care about ownership exports. Last time I configured thunderbird below desktop standard user, I ran as well a tiny internal newsserver, which gave thunderbird indirectly access to the spool, via a line in '/etc/inetd.conf': < nntp stream tcp nowait news /usr/sbin/tcpd /usr/sbin/nntpd > There, I used as well 'suck' and 's-news', but after quite some years, it seemed to me too long then, that those were not maintained any more. So, for now I do not have a program in the newsserver role of 'nntpd'. If you can work out, how to use s-news or something similar for that purpose, so I guess you should be done. Or maybe it helps, instead, to append specific users, as a comma separated list, to the entry 'news' in '/etc/group'? Never played with that one, so I'm not sure. News stuff is in 4 directories here, everything is owned by 'news.news': /usr/lib/news -- tin's corner, with a link to 'active', and configured to use the spool directly; /var/lib/news -- not really used anymore, below is a link to '/var/spool/slrnpull/data/active' for tin, and 'out.going' sits here, to be linked to from /var/spool/slrnpull; /var/spool/news -- 'the' spool; /var/spool/slrnpull -- has links to 'out.going' and to 'var/spool/news'. With this setup, all that prose to be posted, as here, is translated from tin via the script '/usr/lib/news/inews', so slrnpull can pick it up. == Three batches follow. == /usr/lib/news/inews: ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´ #!/bin/sh # -- inews to slrnpull from tin -- out="/var/spool/slrnpull/out.going" tt=$(mktemp /tmp/XXXXXX); ts=$out/X${tt#/tmp/}.news; mv $tt $ts; while read z; do { echo "$z" >>$ts; } done ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´ Now, poll news-host with slrnpull, storing to spool, adjust file dates since previous 'active', provide reference for newsreader - /usr/lib/news/run_slrnpull_etc_or_name_as_you_like ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´ #!/bin/sh cd; readref="./.newsrc.n"; host="-insert.the.news.hosting.site-"; spool="/var/spool/news"; spull="/var/spool/slrnpull"; nextref=$spull"/data/active"; dateref=$spull"/active.o"; oldref=$spull"/active.o~"; let hmark=0; let mc=0; let loglen=120; if [ -r $spull/log ] ; then { let qsi=$(wc -l $spull/log |cut -d" " -f1); if (( $qsi >= $loglen )) ; then { mv -f $spull/log $spull/log.o; } fi }; fi; slrnpull -h $host -d $spull; # ................................................................ # - adjust dates - function msgdatedo { while (( $# != 0 )) ; do { dfrx=`cat $1 |formail -x Date:` ; if [ "`echo $dfrx | cut -d" " -f1 | sed -n -e '/[0-9]/p'`" == "" ]; then { dfrx=`echo $dfrx |cut -d" " -f2-` ; } fi ; dmrx=`date -d"$dfrx" -I'seconds' | tr 'T:+-' " " | cut -d" " -f1-6 | awk 'END{print strftime("%Y%m%d%H%M.%S",mktime($0)) }' ` ; # echo "`basename $1` $dmrx"; touch $1 -t"$dmrx" ; shift ; } done ; } function msggrp { let mc=0; while (( $# != 0 )) ; do { if [[ $1 -gt $hmark ]] ; then { if [ -r $1 ] ; then { msgdatedo $1; let mc+=1; } fi; } fi; shift; } done; }; # ................................................................ if [ -r $dateref ]; then { if [ -w $oldref ]; then { cp -p $dateref $oldref; } fi; while read q; do { group=`echo $q |cut -d" " -f1 |tr "." "/"`; let hmark=`echo $q |cut -d" " -f2 |cut -d"-" -f2`; cd $spool/$group; msggrp `find [0-9]* -type f |sort -n`; if (( $mc != 0 )); then { echo $group' --> '$mc; } fi; } done < $dateref && rm $dateref; } fi; if [ ! -r $dateref ]; then { cp -p $nextref $dateref; } fi; cd; while read z ; do { a=$( echo $z |cut -d" " -f1); c=$( echo $z |cut -d" " -f2); echo "$a"': 1-'"$c"; } done <$dateref >$readref; ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´ ok, there's one more batch for archiving into a mirrored spool with subdirectories named by month-of-year (this is the reason behind adjusting file-dates to posting-dates), so that one follows, but then I stop here. /usr/lib/news/move_spool_to_archive_or_name_as_you_like: ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´ #!/bin/sh # actfileloop -> # Move all newsspool to archive, split by months following time-stamp. # (Date is decremented month-wise, until spool is empty.) # # actretwo -> # Move news from this month, from archive back to spool. # (Ok, it would be easier to move directories instead of files.) # # ................................................................ somelist='/var/lib/news/active' somespool='/var/spool/news' somearc='/var/spool/news/.archive' somewhere='From somewhere(a)world' sometdir=$somearc somefileref=`mktemp ~/m2arc.XXXXXX` # ................................................................ function trsetdate { trisdate=`date -r $somefileref -I'seconds' |tr T " " |tr - " " |tr : " " |tr + " "`;} # `date -r $somefileref -I'seconds' |tr "-T:+" " " function trsubdate { trisdate=`echo $trisdate |awk 'END{print strftime("%Y %m %d %H %M %S",mktime($1" "$2-1" "$3" "$4" "$5" "$6))}'`;} function frombuilt { echo $trisdate |awk 'END{print strftime("%a %d %b %Y",mktime($1" "$2" "1" "0" "0" "0))}';} function touchbuilt { echo $trisdate |awk 'END{print strftime("%Y%m%d",mktime($1" "$2" "1" "0" "0" "0))}';} # ................................................................ function actfidone { while (( $# != 0 )) ; do { mv $1 $sometdir/`basename $1` # echo $sometdir/`basename $1` shift ; } done ; } function actfirdone { while (( $# != 0 )) ; do { mv $1 $somespool/$somegroup/`basename $1` # echo $somespool/$somegroup/`basename $1` shift ; } done ; } # ................................................................ function actmodone { touch -t`touchbuilt`0000 $somefileref ; sometdir=$somearc/$somegroup/`touchbuilt` if [[ $( find $somespool/$somegroup -name "[0-9]*" -type f -newer $somefileref ) ]] ; then { if [ ! -d $sometdir ] ; then { mkdir -p $sometdir ; } fi echo $sometdir actfidone `find $somespool/$somegroup -name "[0-9]*" -type f -newer $somefileref` ; } fi ; } function actredone { touch -t`touchbuilt`0000 $somefileref ; sometdir=$somearc/$somegroup/`touchbuilt` if [ -d $sometdir ] ; then { if [[ $( find $sometdir -name "[0-9]*" -type f ) ]] ; then { echo $sometdir actfirdone `find $sometdir -name "[0-9]*" -type f` ; rmdir $sometdir ; } fi ; } fi ; } # ................................................................ function actfiloop { while (( $# != 0 )) ; do { somegroup=`echo $1 |tr "." "/"` if [ -d $somespool/$somegroup ] ; then { if [[ $( find $somespool/$somegroup -name "[0-9]*" -type f ) ]] ; then { trisdate=$triodate; actmodone ; while [[ $( find $somespool/$somegroup -name "[0-9]*" -type f ) ]] ; do { trsubdate; actmodone ; } done ; } fi ; } fi ; shift ; } done ; } function actretwo { while (( $# != 0 )) ; do { somegroup=`echo $1 |tr "." "/"` trisdate=$triodate; actredone ; # trsubdate; actredone ; shift ; } done ; } # ................................................................ trsetdate; triodate=$trisdate actfiloop `cat $somelist |cut -d" " -f1` actretwo `cat $somelist |cut -d" " -f1` rm $somefileref ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´
From: Barnabyh on 22 Jun 2010 11:10 * Ewald Pfau <anderswo(a)gmx.net> wrote: > Barnabyh <usenet(a)spamtrap.org>: > >> As slrnpull needs to run as root > > Something with your setup must be quite different from my setup - there ist > no root involved here with slrnpull - everything is handled below user > 'news'. > > Maybe it changes things a bit, if newsspool is to be exported, so, if file > access has been configured, instead of access via a tiny internal > newsserver. As I access news only, when having logged-in as user 'news', I > use file access and do not care about ownership exports. > > Last time I configured thunderbird below desktop standard user, I ran as > well a tiny internal newsserver, which gave thunderbird indirectly access to > the spool, via a line in '/etc/inetd.conf': > > < nntp stream tcp nowait news /usr/sbin/tcpd /usr/sbin/nntpd > > > There, I used as well 'suck' and 's-news', but after quite some years, it > seemed to me too long then, that those were not maintained any more. > > So, for now I do not have a program in the newsserver role of 'nntpd'. If > you can work out, how to use s-news or something similar for that purpose, > so I guess you should be done. > > Or maybe it helps, instead, to append specific users, as a comma separated > list, to the entry 'news' in '/etc/group'? Never played with that one, so > I'm not sure. > > News stuff is in 4 directories here, everything is owned by 'news.news': > > /usr/lib/news -- tin's corner, with a link to 'active', > and configured to use the spool directly; > /var/lib/news -- not really used anymore, below is a link to > '/var/spool/slrnpull/data/active' for tin, > and 'out.going' sits here, to be linked to from /var/spool/slrnpull; > /var/spool/news -- 'the' spool; > /var/spool/slrnpull -- has links to 'out.going' and to 'var/spool/news'. > > With this setup, all that prose to be posted, as here, is translated from > tin via the script '/usr/lib/news/inews', so slrnpull can pick it up. > Thanx Ewald. That is very helpful and I'll experiment a bit with the settings and your scripts. From the online documentation, mangled by the decades and through version changes and various tips in fora and documentation and wiki entries for a plethora of distributions, it seemed like slrnpull can only be run as root. At least now I got something to do this evening. I prefer to use slrn/slrnpull because then I won't have to set up stunnel for this particular server. Barnabyh -- The general public is a bunch of morons who destroy the fun and life in everything it collectively touches. Disney is what the public wants. NASCAR is what the public wants. Windows is what the public wants. (Slashdot, Monday March 28 2005, Gnome Removed From Slackware.)
From: Sylvain Robitaille on 22 Jun 2010 12:00 Barnabyh wrote: > ... As slrnpull needs to run as root ... As has already been mentioned, it doesn't. In fact, it hasn't needed to run as root since 1998, so the documentation you're reading is more than a little out of date. See /usr/doc/slrn-*/slrnpull/setgid.txt for what I hope is a clear explanation of how it should be setup. I hope this helps. -- ---------------------------------------------------------------------- Sylvain Robitaille syl(a)encs.concordia.ca Systems analyst / AITS Concordia University Faculty of Engineering and Computer Science Montreal, Quebec, Canada ----------------------------------------------------------------------
From: Barnabyh on 22 Jun 2010 13:29
* Sylvain Robitaille <syl(a)alcor.concordia.ca> wrote: > Barnabyh wrote: > >> ... As slrnpull needs to run as root ... > > As has already been mentioned, it doesn't. In fact, it hasn't needed to > run as root since 1998, so the documentation you're reading is more than > a little out of date. See /usr/doc/slrn-*/slrnpull/setgid.txt for what > I hope is a clear explanation of how it should be setup. > > I hope this helps. > Yeah this helps, thanks Sylvain. So much for looking all over instead of on my own hd. I shall remember that. Barnabyh -- The general public is a bunch of morons who destroy the fun and life in everything it collectively touches. Disney is what the public wants. NASCAR is what the public wants. Windows is what the public wants. (Slashdot, Monday March 28 2005, Gnome Removed From Slackware.) |