Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Posting-Version: version B 2.10 5/3/83; site packet.UUCP Path: utzoo!decvax!harpo!seismo!hao!hplabs!hpda!fortune!amd70!packet!cfv From: cfv@packet.UUCP Newsgroups: net.news.b Subject: bug in control.c? Message-ID: <138@packet.UUCP> Date: Wed, 1-Jun-83 19:21:26 EDT Article-I.D.: packet.138 Posted: Wed Jun 1 19:21:26 1983 Date-Received: Thu, 9-Jun-83 22:17:32 EDT Organization: PacketCable,Inc. Cupertino, CA. Lines: 36 I seem to have found a bug in the inews source module control.c. When I am running as superuser (as defined by ROOTID in defs.h) and I want to globally cancel an article created on my system by someone else, I was unable to do so. When I tracked it down, in the function cancel() I found the following code line: if((uid==ROOTID||uid==0) && strncmp(msgng,"to.",3) == 0) su = 1; What this does is check to see if your effective id (so su works) is ROOTID or if your are root AND if the message is to 'to.*'. This means that unless the message I am cancelling is going to 'to.foobar' superuser is never set for the cancel command, so I cannot even cancel something out of general. I have changed this to look like: if((uid==ROOTID||uid==0)) su = 1; which removes the message group restriction. This may or may not be a problem at your site, and it may not even be a bug (without it it doesn't seem to work as advertised, but I am new to this software). One final comment. I question the (uid==0) check for cancel privileges. If I remember the documentation properly there is no notice that root has su privileges, and a comment that superuser does not have to be root. In many cases the person maintaining news will be the person on root, but I don't believe it is guaranteed and I definitely don't think it is safe to hard code superuser to root into the program and not document it because it becomes possible for a non-privileged root to accidently cancel someone elses message without knowing it or even realizing he is privileged. I have't pulled this check out of my system yet, but I would like to hear someone justify it or tell me that my analysis is incorrect. chuck ucbvax!amd70!packet!cfv