From: Barnabyh on
Hi group,

I;ve recently discovered slrn and slrnpull for news reading as some
of you may recall from the "news server" thread about local news
serving needs.
Currently I'm alternating between Claws-Mail and slrn.
I have a question in regards to security though. As slrnpull needs
to run as root or under sudo in crontab, what are the chances of a
potential security hole affecting/ escalating into the whole system.

I have so far only found problems relating to older versions in
around 2000/2001 pertaining to versions 0.9.6.2 and 0.9.6.3
(securiteam.com, linuxsecurity.com).

Apart from keeping an eye on this sort of thing and trusting the
appearance of official updates, would it not be better to run
slrnpull non-root?

Is it possible to achieve this?

Thanx,

Barnaby


Barnabyh
--
The general public is a bunch of morons who destroy the fun and life in
everything it collectively touches. Disney is what the public wants.
NASCAR is what the public wants. Windows is what the public wants.
(Slashdot, Monday March 28 2005, Gnome Removed From Slackware.)
From: Ewald Pfau on
Barnabyh <usenet(a)spamtrap.org>:

> As slrnpull needs to run as root

Something with your setup must be quite different from my setup - there ist
no root involved here with slrnpull - everything is handled below user
'news'.

Maybe it changes things a bit, if newsspool is to be exported, so, if file
access has been configured, instead of access via a tiny internal
newsserver. As I access news only, when having logged-in as user 'news', I
use file access and do not care about ownership exports.

Last time I configured thunderbird below desktop standard user, I ran as
well a tiny internal newsserver, which gave thunderbird indirectly access to
the spool, via a line in '/etc/inetd.conf':

< nntp stream tcp nowait news /usr/sbin/tcpd /usr/sbin/nntpd >

There, I used as well 'suck' and 's-news', but after quite some years, it
seemed to me too long then, that those were not maintained any more.

So, for now I do not have a program in the newsserver role of 'nntpd'. If
you can work out, how to use s-news or something similar for that purpose,
so I guess you should be done.

Or maybe it helps, instead, to append specific users, as a comma separated
list, to the entry 'news' in '/etc/group'? Never played with that one, so
I'm not sure.

News stuff is in 4 directories here, everything is owned by 'news.news':

/usr/lib/news -- tin's corner, with a link to 'active',
and configured to use the spool directly;
/var/lib/news -- not really used anymore, below is a link to
'/var/spool/slrnpull/data/active' for tin,
and 'out.going' sits here, to be linked to from /var/spool/slrnpull;
/var/spool/news -- 'the' spool;
/var/spool/slrnpull -- has links to 'out.going' and to 'var/spool/news'.

With this setup, all that prose to be posted, as here, is translated from
tin via the script '/usr/lib/news/inews', so slrnpull can pick it up.

== Three batches follow. ==

/usr/lib/news/inews:
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´
#!/bin/sh
# -- inews to slrnpull from tin --
out="/var/spool/slrnpull/out.going"
tt=$(mktemp /tmp/XXXXXX); ts=$out/X${tt#/tmp/}.news;
mv $tt $ts; while read z; do { echo "$z" >>$ts; } done
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´

Now, poll news-host with slrnpull, storing to spool,
adjust file dates since previous 'active',
provide reference for newsreader -
/usr/lib/news/run_slrnpull_etc_or_name_as_you_like
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´
#!/bin/sh
cd;
readref="./.newsrc.n";
host="-insert.the.news.hosting.site-";
spool="/var/spool/news";
spull="/var/spool/slrnpull";
nextref=$spull"/data/active";
dateref=$spull"/active.o";
oldref=$spull"/active.o~";

let hmark=0;
let mc=0;
let loglen=120;

if [ -r $spull/log ] ; then {
let qsi=$(wc -l $spull/log |cut -d" " -f1);
if (( $qsi >= $loglen )) ; then {
mv -f $spull/log $spull/log.o;
} fi }; fi;

slrnpull -h $host -d $spull;

# ................................................................
# - adjust dates -

function msgdatedo { while (( $# != 0 )) ; do {
dfrx=`cat $1 |formail -x Date:` ;
if [ "`echo $dfrx | cut -d" " -f1 | sed -n -e '/[0-9]/p'`" == "" ]; then {
dfrx=`echo $dfrx |cut -d" " -f2-` ; } fi ;
dmrx=`date -d"$dfrx" -I'seconds' | tr 'T:+-' " " | cut -d" " -f1-6 | awk 'END{print strftime("%Y%m%d%H%M.%S",mktime($0)) }' ` ;
# echo "`basename $1` $dmrx";
touch $1 -t"$dmrx" ; shift ; } done ; }

function msggrp {
let mc=0;
while (( $# != 0 )) ; do {
if [[ $1 -gt $hmark ]] ; then {
if [ -r $1 ] ; then {
msgdatedo $1;
let mc+=1;
} fi; } fi; shift; } done; };

# ................................................................

if [ -r $dateref ]; then {
if [ -w $oldref ]; then {
cp -p $dateref $oldref;
} fi;
while read q; do {
group=`echo $q |cut -d" " -f1 |tr "." "/"`;
let hmark=`echo $q |cut -d" " -f2 |cut -d"-" -f2`;
cd $spool/$group;
msggrp `find [0-9]* -type f |sort -n`;
if (( $mc != 0 )); then {
echo $group' --> '$mc;
} fi;
} done < $dateref && rm $dateref;
} fi;

if [ ! -r $dateref ]; then {
cp -p $nextref $dateref;
} fi;

cd;
while read z ; do {
a=$( echo $z |cut -d" " -f1);
c=$( echo $z |cut -d" " -f2);
echo "$a"': 1-'"$c";
} done <$dateref >$readref;
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´

ok, there's one more batch for archiving into a mirrored spool with
subdirectories named by month-of-year (this is the reason behind adjusting
file-dates to posting-dates), so that one follows, but then I stop here.
/usr/lib/news/move_spool_to_archive_or_name_as_you_like:
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´
#!/bin/sh
# actfileloop ->
# Move all newsspool to archive, split by months following time-stamp.
# (Date is decremented month-wise, until spool is empty.)
#
# actretwo ->
# Move news from this month, from archive back to spool.
# (Ok, it would be easier to move directories instead of files.)
#
# ................................................................
somelist='/var/lib/news/active'
somespool='/var/spool/news'
somearc='/var/spool/news/.archive'

somewhere='From somewhere(a)world'
sometdir=$somearc
somefileref=`mktemp ~/m2arc.XXXXXX`

# ................................................................
function trsetdate { trisdate=`date -r $somefileref -I'seconds' |tr T " " |tr - " " |tr : " " |tr + " "`;}

# `date -r $somefileref -I'seconds' |tr "-T:+" " "

function trsubdate { trisdate=`echo $trisdate |awk 'END{print strftime("%Y %m %d %H %M %S",mktime($1" "$2-1" "$3" "$4" "$5" "$6))}'`;}

function frombuilt { echo $trisdate |awk 'END{print strftime("%a %d %b %Y",mktime($1" "$2" "1" "0" "0" "0))}';}

function touchbuilt { echo $trisdate |awk 'END{print strftime("%Y%m%d",mktime($1" "$2" "1" "0" "0" "0))}';}

# ................................................................
function actfidone { while (( $# != 0 )) ; do {
mv $1 $sometdir/`basename $1`
# echo $sometdir/`basename $1`
shift ; } done ; }

function actfirdone { while (( $# != 0 )) ; do {
mv $1 $somespool/$somegroup/`basename $1`
# echo $somespool/$somegroup/`basename $1`
shift ; } done ; }

# ................................................................
function actmodone {
touch -t`touchbuilt`0000 $somefileref ;
sometdir=$somearc/$somegroup/`touchbuilt`
if [[ $( find $somespool/$somegroup -name "[0-9]*" -type f -newer $somefileref ) ]] ; then {
if [ ! -d $sometdir ] ; then { mkdir -p $sometdir ; } fi
echo $sometdir
actfidone `find $somespool/$somegroup -name "[0-9]*" -type f -newer $somefileref` ;
} fi ; }

function actredone {
touch -t`touchbuilt`0000 $somefileref ;
sometdir=$somearc/$somegroup/`touchbuilt`
if [ -d $sometdir ] ; then {
if [[ $( find $sometdir -name "[0-9]*" -type f ) ]] ; then {
echo $sometdir
actfirdone `find $sometdir -name "[0-9]*" -type f` ;
rmdir $sometdir ;
} fi ; } fi ; }

# ................................................................
function actfiloop { while (( $# != 0 )) ; do {
somegroup=`echo $1 |tr "." "/"`
if [ -d $somespool/$somegroup ] ; then {
if [[ $( find $somespool/$somegroup -name "[0-9]*" -type f ) ]] ; then {
trisdate=$triodate; actmodone ;
while [[ $( find $somespool/$somegroup -name "[0-9]*" -type f ) ]] ; do {
trsubdate; actmodone ; } done ;
} fi ; } fi ; shift ; } done ; }

function actretwo { while (( $# != 0 )) ; do {
somegroup=`echo $1 |tr "." "/"`
trisdate=$triodate; actredone ;
# trsubdate; actredone ;
shift ; } done ; }

# ................................................................
trsetdate; triodate=$trisdate
actfiloop `cat $somelist |cut -d" " -f1`
actretwo `cat $somelist |cut -d" " -f1`
rm $somefileref
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´´

From: Barnabyh on
* Ewald Pfau <anderswo(a)gmx.net> wrote:
> Barnabyh <usenet(a)spamtrap.org>:
>

>> As slrnpull needs to run as root
>
> Something with your setup must be quite different from my setup - there ist
> no root involved here with slrnpull - everything is handled below user
> 'news'.
>
> Maybe it changes things a bit, if newsspool is to be exported, so, if file
> access has been configured, instead of access via a tiny internal
> newsserver. As I access news only, when having logged-in as user 'news', I
> use file access and do not care about ownership exports.
>
> Last time I configured thunderbird below desktop standard user, I ran as
> well a tiny internal newsserver, which gave thunderbird indirectly access to
> the spool, via a line in '/etc/inetd.conf':
>
> < nntp stream tcp nowait news /usr/sbin/tcpd /usr/sbin/nntpd >
>
> There, I used as well 'suck' and 's-news', but after quite some years, it
> seemed to me too long then, that those were not maintained any more.
>
> So, for now I do not have a program in the newsserver role of 'nntpd'. If
> you can work out, how to use s-news or something similar for that purpose,
> so I guess you should be done.
>
> Or maybe it helps, instead, to append specific users, as a comma separated
> list, to the entry 'news' in '/etc/group'? Never played with that one, so
> I'm not sure.
>
> News stuff is in 4 directories here, everything is owned by 'news.news':
>
> /usr/lib/news -- tin's corner, with a link to 'active',
> and configured to use the spool directly;
> /var/lib/news -- not really used anymore, below is a link to
> '/var/spool/slrnpull/data/active' for tin,
> and 'out.going' sits here, to be linked to from /var/spool/slrnpull;
> /var/spool/news -- 'the' spool;
> /var/spool/slrnpull -- has links to 'out.going' and to 'var/spool/news'.
>
> With this setup, all that prose to be posted, as here, is translated from
> tin via the script '/usr/lib/news/inews', so slrnpull can pick it up.
>

Thanx Ewald. That is very helpful and I'll experiment a bit with the
settings and your scripts.
From the online documentation, mangled by the decades and through version
changes and various tips in fora and documentation and wiki entries for
a plethora of distributions, it seemed like slrnpull can only be run
as root.

At least now I got something to do this evening.

I prefer to use slrn/slrnpull because then I won't have to set up
stunnel for this particular server.

Barnabyh
--
The general public is a bunch of morons who destroy the fun and life in
everything it collectively touches. Disney is what the public wants.
NASCAR is what the public wants. Windows is what the public wants.
(Slashdot, Monday March 28 2005, Gnome Removed From Slackware.)
From: Sylvain Robitaille on
Barnabyh wrote:

> ... As slrnpull needs to run as root ...

As has already been mentioned, it doesn't. In fact, it hasn't needed to
run as root since 1998, so the documentation you're reading is more than
a little out of date. See /usr/doc/slrn-*/slrnpull/setgid.txt for what
I hope is a clear explanation of how it should be setup.

I hope this helps.

--
----------------------------------------------------------------------
Sylvain Robitaille syl(a)encs.concordia.ca

Systems analyst / AITS Concordia University
Faculty of Engineering and Computer Science Montreal, Quebec, Canada
----------------------------------------------------------------------
From: Barnabyh on
* Sylvain Robitaille <syl(a)alcor.concordia.ca> wrote:
> Barnabyh wrote:
>
>> ... As slrnpull needs to run as root ...
>
> As has already been mentioned, it doesn't. In fact, it hasn't needed to
> run as root since 1998, so the documentation you're reading is more than
> a little out of date. See /usr/doc/slrn-*/slrnpull/setgid.txt for what
> I hope is a clear explanation of how it should be setup.
>
> I hope this helps.
>

Yeah this helps, thanks Sylvain. So much for looking all over
instead of on my own hd. I shall remember that.

Barnabyh
--
The general public is a bunch of morons who destroy the fun and life in
everything it collectively touches. Disney is what the public wants.
NASCAR is what the public wants. Windows is what the public wants.
(Slashdot, Monday March 28 2005, Gnome Removed From Slackware.)
 |  Next  |  Last
Pages: 1 2 3
Prev: timout binary question
Next: What am I doing wrong ?