Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Posting-Version: version B 2.10 5/3/83; site packet.UUCP
Path: utzoo!decvax!harpo!seismo!hao!hplabs!hpda!fortune!amd70!packet!cfv
From: cfv@packet.UUCP
Newsgroups: net.news.b
Subject: bug in control.c?
Message-ID: <138@packet.UUCP>
Date: Wed, 1-Jun-83 19:21:26 EDT
Article-I.D.: packet.138
Posted: Wed Jun  1 19:21:26 1983
Date-Received: Thu, 9-Jun-83 22:17:32 EDT
Organization: PacketCable,Inc. Cupertino, CA.
Lines: 36

I seem to have found a bug in the inews source module control.c. When I am
running as superuser (as defined by ROOTID in defs.h) and I want to globally
cancel an article created on my system by someone else, I was unable to do
so. When I tracked it down, in the function cancel() I found the following
code line:

if((uid==ROOTID||uid==0) && strncmp(msgng,"to.",3) == 0)
    su = 1;

What this does is check to see if your effective id (so su works) is ROOTID
or if your are root AND if the message is to 'to.*'. This means that unless
the message I am cancelling is going to 'to.foobar' superuser is never set
for the cancel command, so I cannot even cancel something out of general.

I have changed this to look like:

if((uid==ROOTID||uid==0))
    su = 1;

which removes the message group restriction. This may or may not be a problem
at your site, and it may not even be a bug (without it it doesn't seem to
work as advertised, but I am new to this software).

One final comment. I question the (uid==0) check for cancel privileges. If
I remember the documentation properly there is no notice that root has
su privileges, and a comment that superuser does not have to be root. In
many cases the person maintaining news will be the person on root, but I
don't believe it is guaranteed and I definitely don't think it is safe to
hard code superuser to root into the program and not document it because it
becomes possible for a non-privileged root to accidently cancel someone
elses message without knowing it or even realizing he is privileged. I have't
pulled this check out of my system yet, but I would like to hear someone
justify it or tell me that my analysis is incorrect.

chuck
ucbvax!amd70!packet!cfv