From:	SMTP%"bailey@HMIVAX.HUMGEN.UPENN.EDU" 21-JUL-1993 08:22:50.67
To:	EVERHART
CC:	
Subj:	Proposed changes to News_Node, News_Address

Message-Id: <9307211156.AA14980@uu7.psi.com>
Date:         Wed, 21 Jul 1993 01:17:39 GMT
Reply-To: Charles Bailey <bailey@HMIVAX.HUMGEN.UPENN.EDU>
Sender: ANU-NEWS Discussion <ANU-NEWS@VM1.NoDak.EDU>
Comments:     Warning -- original Sender: tag was news@NETNEWS.UPENN.EDU
From: Charles Bailey <bailey@HMIVAX.HUMGEN.UPENN.EDU>
Organization: HHMI/Human Genetics, Univ of Pa.
Subject:      Proposed changes to News_Node, News_Address
To: Multiple recipients of list ANU-NEWS <ANU-NEWS@VM1.NoDak.EDU>

I've had to sort through the News sources recently to track down usage fo
various logical names, and a few anomalies have emerged in the use of
News_Node and News_Address.  Specifically, current usage is as follows:

NEWS_NODE:
- X-NEWS: header for Extract, Print
- X-News: header for Mail, Send, Forward, Reply
- Xref: header when creating a new item
- constructed message IDs for Mail, Send, Forward, Reply
  (used only if Message-ID header is missing)
- identifying local node entry in News.Sys,News.Dist
- finding local node in Path: header
- local node name in Path: header if NODE_PATH #defined (not default)
- Access.News access checking
- default message ID for "In article . . ." line constructed for followups
- default value for NEWS_ADDRESS if that logical name and its fallback logical
  names are not defined

NEWS_ADDRESS:
- hostname in arbitron.c
- site name for Relay-Version: header
- Path: entry for local system if NODE_PATH not #defined (default)
- node ID in Responding-System: headers for response to control messages
- address in From: header for ihave response message
- default From: header constructed when adding an item to local database
  (used only if item is missing From: header)
- message-id for items originating on the local system
- moderator ident check for Add/Mod, Delete, Post, Repost, and access check as
  newsgroups are opened
- item originator ident check for Cancel, Repost
- default node address for mail_sig

Both of these logical names are translated via the C RTL call getenv().

I'd like to propose that the following changes be made to make usage more
consistent and plug what appears to be a potential security hole (with credit
for discussion and advice to Bob Sloane):

1. Require that these logical names be defined in the system table and in
   executive mode.  Since they're used to check access to restricted groups, as
   well as to identify the local node to the net, I'm not comfortable with the
   idea that anyone can, for instance,
   Define/Process News_Address "hmivax.humgen.upenn.edu"
   and proceed to forge postings from my site.  The sample setup procedures
   in the News_Dist ZIP archive already follow this policy, so I hope that
   enforcing it won't break many folks' setup.

2. Use News_Node as the site ID for use in looking up News.Sys entries,
   generating X-News:, Xref:, and Relay-Version:  headers, and in the Path:
   header, unless the logical News_Pathname is also defined, in which case its
   translation will be used in Path: headers.  It will also be used to
   identify the local host in Responding* headers, and as the hostname in
   Arbitron.  If News_Node is not defined, the value of News_Address (or a
   fallback for News_Address) will be used instead.  Given the tendency of
   many sites to use DNS names over UUCP names, this seems reasonable.

3. Use News_Address (or a fallback if necessary) for generating all From:
   addresses and Message-IDs, and as the host part of the string used for
   all access checks (Acces.News, moderator, originator).  This should satisfy
   RFC1036 rules for message ids, and help insure that the same string is used
   wherever something that looks like a mail address is needed.

4. Eliminate the preprocessor symbol NODE_PATH, since what I'm proposing does
   what is specifies by default, and if a site needs to do otherwise, then they
   can use News_Pathname.

My opinion is that item 1 should be incorporated immediately, since it entails
a minimum (I think) of hassle and plugs a potential security hole (I know -
bigger now that I've mentioned it).  I realize items 2-4 may make life
difficult for some sites, so it might be useful to hold off or (argh)
incorporate some kind of conditional compilation.

I'd like to hear opinions from people about these ideas.  If you think a point
is of general interest, post here; otherwise, feel free to send me mail, and
I'll summarize back to the group.

                    Regards,
                    Charles Bailey

!-------------------------------------------------------------------------------
!             Dept. of Genetics / Howard Hughes Medical Institute
! University of Pennsylvania School of Medicine  Rm. 430 Clinical Research Bldg.
!     422 Curie Blvd.  Philadelphia, PA 19104 USA      Tel. (215) 898-1699
!          Internet: bailey@genetics.upenn.edu  (IN 128.91.200.37)
!-------------------------------------------------------------------------------