INN 2.2.1 fixes some security holes found in earlier versions. Below is a good description of the situation written by Russ Allbery. --------------------------------------------------------------------------- Vulnerability If inews is installed setgid news and world-executable, any user on the system may be able to gain group news privileges by exploiting a buffer overflow in inews. The news group is treated as privileged by some portions of a standard INN installation; these privileges could be used to modify group-writeable files, possibly allowing the user to leverage group news access into user news privileges, and then by manipulation of inn.conf possibly root access (although recent fixes have made this final step much more difficult). Note that this chain of elevation of privileges is theoretical rather than actual; the ability of an attacker to do this indicates bugs in other portions of INN. However, given the degree to which INN trusts the news user and news group, it's not unlikely that such bugs exist. Affected Versions The vulnerability appears to be present in all versions of inews back to at least INN 1.7.2, and quite possibly farther than that. All versions of INN older than INN 2.2.1 (or INN snapshots generated on August 23rd or later) should be considered vulnerable. Recommended Action This bug was fixed in the INN CVS repository on 1999/08/22 06:30:02. It is fixed in INN 2.2.1, and in INN 2.2 STABLE snapshots and INN 2.3 development snapshots generated after that date. Upgrading is one solution. inews needs to be setgid only if it needs to be executable by all users on the system and needs to be able to talk to INN via a Unix domain socket and spool articles in the incoming directory if innd isn't running. Very few systems require this functionality. If your news server is a stand-alone server with no local users, or if you don't need the spooling capability and don't mind inews posting articles via TCP, you should turn off the setgid bit on inews with: chmod 550 inews It is possible that rnews has similar potential exploits. rnews by default is executable only by group uucp; if you are not running UUCP, it is strongly recommended that you also turn off the setuid bit of rnews with: chown news rnews chgrp news rnews chmod 500 rnews (Installing inews and rnews without special privileges will be a standard option in INN 2.3, and may become the default.) Additional Notes INN is in general much more secure if run on a dedicated machine to which only news administrators have shell access. This is the most common installation of INN these days, given the increasing volume of news and the resources demanded by a news server to handle it. It is generally good security practice to isolate each service on its own machine as much as possible, and only give shell access to that machine to those people who are maintaining that service. -- Russ Allbery (rra@stanford.edu)