Subject: Re: newsyslog
To: None <tech-userlevel@netbsd.org>
From: Greg A. Woods <woods@weird.com>
List: tech-userlevel
Date: 07/13/2000 15:51:50
[ On Thursday, July 13, 2000 at 15:48:33 (+0100), Andy Doran wrote: ]
> Subject: Re: newsyslog
>
> [/var/run, /var/spool/lock]
> 
> To accomplish this newsyslog(8) becomes suid root, with the euid being set
> to ruid when the elevated privs are not needed...

Whatever gives you that idea?!?!?!?  NEVER make it setuid to root!!!!

It *might* need to be made set-GROUP-id to 'daemon' and /var/spool/lock
then needs to be made group-writable of course, but that's the very very
worst.

Though I do see on the one UUCP and dial-out machine I have that I had
to change /var/spool/lock to group "dialer" and make it group writable
so that modems could be properly shared.

In theory making /var/spool/lock world-writable with the sticky bit
should be sufficient for all but the most paranoid situations....  The
more paranoid folks could create a separate lock directory with a unique
group ownership which all authorised newsyslog users would be members of
and of course in order to succeed in creating the lock they'd have to
specify a writable directory on the command-line....

-- 
							Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoods@acm.org>      <robohack!woods>
Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>