Re: #1416 Injection-Date: proposed diff

["Charles Lindsey" <chl@xxxxxxxxxxxxxxxx>]

In <87bqdqy30j.fsf@xxxxxxxxxxxxxxxxxxxxx> Russ Allbery <rra@xxxxxxxxxxxx> writes:

>I don't know if I'm just not being clear or why we're having so much
>trouble communicating.

>If he has *any* software installed on his system *anywhere* that will
>taken an existing post and reinject it, he has reinjection software.  He
>therefore knows he has reinjection software and it is his responsibility
>to configure it to do the right thing (and the right thing does not depend
>on hierarchy or where the post is going).  It is not possible for him to
>be doing reinjection and not know it.

On the contrary, it is perfectly possible if you are using CNEWS (and
probably BNEWS before it). I wouldn't know what INN would do.

CNEWS out of the box is configured to use UUCP, and its facilities for
using NNTP are somewhat rudimentary. But if you provide it with a script
that will call some NNTP server using the proper POST command, then it
will use it.

So this guy has arranged to use such a script to inject stuff both to the
central node of his local network and to the server provided by his ISP.

And he has configured his sys file to send articles to the local groups to
the that central node, and usenet groups to his ISP. And he honestly
believes that everything he sends is injecting to exactly one of those
servers. And his sysfile also ensures that stuff arriving from one of
those servers is never sent back to it (by looking at the incoming Paths,
of course). And it all appears to work.

Now you may argue that using a full-fledged server such as CNEWS at home
is a dangerous tool in the hands of the unskilled, but lots of people find
it convenient to do it, and you may be sure that some of them are less
skilled than others.

What this guy forgot, of course, is the case of cross posts between local
and Usenet groups (which were doubtless very rare anyway). But as he has
it, such an article arriving from the central server of the local network
will get sent out on the Usenet link. The sys file can easily be
configured to prevent that, once you have been made aware of the problem.

But for sure you cannot say that this guy "knew" that his system might
reinject; you can say that he SHOULD have known it, but in fact for an
unskilled bloke he did pretty well to get it configured as well as he did.

>  Regular news software does not do
>reinjection.  He has explicitly installed and configured software to do
>that, and that software can therefore be configured appropriately.

What is "regular news software"?

>It doesn't matter whether it's possible to accidentally direct posts to it
>or not.  That's not at all the point.  The point is that there's normal
>news software and there's reinjection software and it's quite clear which
>is which.

And there is also software which can do both. It would not surprise me
that INN could have been misconfigured in that way, but my knowledge of
INN is extremely limited.

-- 
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131 Fax: +44 161 436 6133   Web: http://www.cs.man.ac.uk/~chl
Email: chl@xxxxxxxxxxxxxxxx      Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9      Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5