Your message dated Sat, 20 Sep 2025 09:18:04 -0500
with message-id <[email protected]>
and subject line Resolving
has caused the Debian Bug report #1090849,
regarding missing suid nncp for executables
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1090849: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1090849
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: nncp
Version: 8.10.0
(Ubuntu 24.04: Version: 8.10.0-8ubuntu0.2)
Hi,
/var/spool/nncp is owned by owner and group nncp.
But how should a user other than root be able to write into that
directory or run nncp commands being able to read /etc/nncp.hjson, if
that is supposed to remain secret?
Shouldn't those commands be set setuid nncp?
E.g. in older package uucp it is set correctly:
-rwsr-xr-x 1 uucp root 121088 Mär 25 2022 /usr/bin/uucp*
-rwsr-xr-x 1 uucp root 121072 Mär 25 2022 /usr/bin/uux*
regards
Hadmut
--- End Message ---
--- Begin Message ---
Hi Hadmut,
It may be possible to run NNCP setuid, but I can't make that the default
for the distribution, because there are a lot of different ways to set
it up.
For instance:
- multiple users on the system might run NNCP as their own user
- Access to NNCP might be limited by sudo, as at
https://www.complete.org/using-nncp-with-sudo/
- The system may be a relay only, with no need to run anything other
than nncp-daemon and nncp-toss, which can be run as the NNCP user
Making the binaries setuid or setgid would violate assumptions on some
of these things. If that is something you'd like to do locally, you can
use dpkg-statoverride to do so. But as a distribution where the
software needs to be usable by people in a wide variety of situations,
it would be inappropriate to ship it this way.
Thanks,
John
--- End Message ---
