Description: Force su to use /bin/sh as news user's shell
Author: Colin Watson <cjwatson@debian.org>
Bug-Debian: http://bugs.debian.org/736818
Forwarded: no
Last-Update: 2014-01-27

Index: b/INSTALL
===================================================================
--- a/INSTALL
+++ b/INSTALL
@@ -1414,7 +1414,7 @@
     or, if your system does not have per-user crontabs, put the following
     line into your system crontab instead:
 
-        0 3 * * * su -c '<pathbin in inn.conf>/news.daily expireover lowmark' news
+        0 3 * * * su -c '<pathbin in inn.conf>/news.daily expireover lowmark' -s /bin/sh news
 
     If you're using any non-CNFS storage methods, add "delayrm" to the above
     option list for news.daily.
@@ -1494,7 +1494,7 @@
     news user and not as root.  To start INN on system boot, you therefore
     want to put something like:
 
-        su news -c <pathbin in inn.conf>/rc.news
+        su news -s /bin/sh -c <pathbin in inn.conf>/rc.news
 
     in the system boot scripts.  If innd is stopped or killed, you can
     restart it by running rc.news by hand as the news user.
@@ -1502,7 +1502,7 @@
     The rc.news script may also be used to shut down INN, with the "stop"
     option:
 
-        su news -c '<pathbin in inn.conf>/rc.news stop'
+        su news -s /bin/sh -c '<pathbin in inn.conf>/rc.news stop'
 
     In the contrib directory of this source tree, two sample init scripts
     are provided:  one for people using System V-style init.d directories,
@@ -1512,7 +1512,7 @@
     nnrpd to listen to these connections to NNTPS port 563 and put something
     like that in your init scripts:
 
-        su news -c '<pathbin in inn.conf>/nnrpd -D -c <pathetc in inn.conf>/readers-ssl.conf -p 563 -S'
+        su news -s /bin/sh -c '<pathbin in inn.conf>/nnrpd -D -c <pathetc in inn.conf>/readers-ssl.conf -p 563 -S'
 
     where readers-ssl.conf is the file which indicates whether a given
     connection is allowed to read and post news (you can also use the
@@ -1527,7 +1527,7 @@
 
     or if you do not have a start-stop-daemon utility:
 
-        su news -c 'killall nnrpd'
+        su news -s /bin/sh -c 'killall nnrpd'
 
 Processing Newsgroup Control Messages
 
Index: b/contrib/sample.init.script
===================================================================
--- a/contrib/sample.init.script
+++ b/contrib/sample.init.script
@@ -11,11 +11,11 @@
 start () {
     ulimit -n unlimited
     # Start INN.
-    su news -c '<pathbin>/rc.news' >> <pathlog>/rc.news 2>&1
+    su news -s /bin/sh -c '<pathbin>/rc.news' >> <pathlog>/rc.news 2>&1
     # Start another nnrpd daemon, handling initial TLS connections, on port 563.
     # (The preferred way would be to use port 119 and STARTTLS but not all news
     # readers support it yet.)
-    #su news -c '<pathbin>/nnrpd -D -p 563 -S' >> <pathlog>/rc.news 2>&1
+    #su news -s /bin/sh -c '<pathbin>/nnrpd -D -p 563 -S' >> <pathlog>/rc.news 2>&1
 }
 
 case "$1" in
@@ -26,10 +26,10 @@
 
 stop)
     # Stop INN.
-    su news -c '<pathbin>/rc.news stop' >> <pathlog>/rc.news 2>&1
+    su news -s /bin/sh -c '<pathbin>/rc.news stop' >> <pathlog>/rc.news 2>&1
     # Stop possible other nnrpd daemons.  One of the two following commands is enough.
     #start-stop-daemon --stop --name nnrpd --quiet --oknodo
-    #su news -c 'killall nnrpd' >> <pathlog>/rc.news 2>&1
+    #su news -s /bin/sh -c 'killall nnrpd' >> <pathlog>/rc.news 2>&1
     ;;
 
 reload|force-reload)
Index: b/contrib/sample.init.systemd
===================================================================
--- a/contrib/sample.init.systemd
+++ b/contrib/sample.init.systemd
@@ -13,7 +13,7 @@
 PIDFile=/run/news/innd.pid
 Type=forking
 ExecStart=/usr/libexec/news/rc.news
-ExecStop=/bin/su -m news -c '/usr/libexec/news/rc.news stop'
+ExecStop=/bin/su -m news -s /bin/sh -c '/usr/libexec/news/rc.news stop'
 KillMode=control-group
 
 [Install]
Index: b/doc/checklist
===================================================================
--- a/doc/checklist
+++ b/doc/checklist
@@ -185,7 +185,7 @@
     *   Start innd by running *pathbin*/rc.news as the news user.  It is
         also what you should launch in your init scripts:
 
-            su news -c <pathbin in inn.conf>/rc.news
+            su news -s /bin/sh -c <pathbin in inn.conf>/rc.news
 
         Check *pathlog*/news.notice to see if everything went well; also use
         "ps" to see if innd is running.
@@ -265,7 +265,7 @@
         these connections to NNTPS port 563 and put something like that in
         your init scripts:
 
-            su news -c '<pathbin>/nnrpd -D -c <pathetc>/readers-ssl.conf -p 563 -S'
+            su news -s /bin/sh -c '<pathbin>/nnrpd -D -c <pathetc>/readers-ssl.conf -p 563 -S'
 
         Note that a news client which supports the STARTTLS command can also
         use the conventional NNTP port 119 to initiate a TLS connection. 
Index: b/doc/pod/checklist.pod
===================================================================
--- a/doc/pod/checklist.pod
+++ b/doc/pod/checklist.pod
@@ -227,7 +227,7 @@
 Start B<innd> by running I<pathbin>/rc.news B<as the news user>.  It
 is also what you should launch in your init scripts:
 
-    su news -c <pathbin in inn.conf>/rc.news
+    su news -s /bin/sh -c <pathbin in inn.conf>/rc.news
 
 Check I<pathlog>/news.notice to see if everything went well; also use
 C<ps> to see if B<innd> is running.
@@ -322,7 +322,7 @@
 You then need to start a second B<nnrpd> to listen to these connections
 to NNTPS port 563 and put something like that in your init scripts:
 
-    su news -c '<pathbin>/nnrpd -D -c <pathetc>/readers-ssl.conf -p 563 -S'
+    su news -s /bin/sh -c '<pathbin>/nnrpd -D -c <pathetc>/readers-ssl.conf -p 563 -S'
 
 Note that a news client which supports the STARTTLS command can also
 use the conventional NNTP port 119 to initiate a TLS connection.  However,
Index: b/doc/pod/install.pod
===================================================================
--- a/doc/pod/install.pod
+++ b/doc/pod/install.pod
@@ -1455,7 +1455,7 @@
 or, if your system does not have per-user crontabs, put the following line
 into your system crontab instead:
 
-    0 3 * * * su -c '<pathbin in inn.conf>/news.daily expireover lowmark' news
+    0 3 * * * su -s /bin/sh -c '<pathbin in inn.conf>/news.daily expireover lowmark' news
 
 If you're using any non-CNFS storage methods, add C<delayrm> to the above
 option list for B<news.daily>.
@@ -1535,7 +1535,7 @@
 news user and not as root.  To start INN on system boot, you therefore
 want to put something like:
 
-    su news -c <pathbin in inn.conf>/rc.news
+    su news -s /bin/sh -c <pathbin in inn.conf>/rc.news
 
 in the system boot scripts.  If B<innd> is stopped or killed, you can restart
 it by running B<rc.news> by hand as the news user.
@@ -1543,7 +1543,7 @@
 The B<rc.news> script may also be used to shut down INN, with the C<stop>
 option:
 
-    su news -c '<pathbin in inn.conf>/rc.news stop'
+    su news -s /bin/sh -c '<pathbin in inn.conf>/rc.news stop'
 
 In the F<contrib> directory of this source tree, two sample init scripts are provided:  one
 for people using System V-style init.d directories, and another for people
@@ -1553,7 +1553,7 @@
 B<nnrpd> to listen to these connections to NNTPS port 563 and put something
 like that in your init scripts:
 
-    su news -c '<pathbin in inn.conf>/nnrpd -D -c <pathetc in inn.conf>/readers-ssl.conf -p 563 -S'
+    su news -s /bin/sh -c '<pathbin in inn.conf>/nnrpd -D -c <pathetc in inn.conf>/readers-ssl.conf -p 563 -S'
 
 where F<readers-ssl.conf> is the file which indicates whether a given
 connection is allowed to read and post news (you can also use the
@@ -1568,7 +1568,7 @@
 
 or if you do not have a B<start-stop-daemon> utility:
 
-    su news -c 'killall nnrpd'
+    su news -s /bin/sh -c 'killall nnrpd'
 
 =head1 Processing Newsgroup Control Messages
 
Index: b/doc/pod/nnrpd.pod
===================================================================
--- a/doc/pod/nnrpd.pod
+++ b/doc/pod/nnrpd.pod
@@ -213,7 +213,7 @@
 B<nnrpd> to listen on that port through some other means.  This can be
 done with the B<-D> flag along with C<-p 563> and put into your init scripts:
 
-    su news -c '<pathbin>/nnrpd -D -p 563 -S'
+    su news -s /bin/sh -c '<pathbin>/nnrpd -D -p 563 -S'
 
 but the easiest way is probably to add a line like:
 
Index: b/doc/pod/rc.news.pod
===================================================================
--- a/doc/pod/rc.news.pod
+++ b/doc/pod/rc.news.pod
@@ -67,16 +67,16 @@
 
 To start INN and leave certain error messages going to the terminal:
 
-       su - news -c <pathbin in inn.conf>/rc.news
+       su - news -s /bin/sh -c <pathbin in inn.conf>/rc.news
 
 To run INN at startup time from appropriate system boot scripts:
 
-       su - news -c <pathbin>/rc.news >/dev/console
+       su - news -s /bin/sh -c <pathbin>/rc.news >/dev/console
 
 To stop INN (throttling first):
 
        <pathbin>/ctlinnd throttle reason
-       su - news -c '<pathbin>/rc.news stop'
+       su - news -s /bin/sh -c '<pathbin>/rc.news stop'
 
 =head1 BUGS
 
Index: b/scripts/rc.news.in
===================================================================
--- a/scripts/rc.news.in
+++ b/scripts/rc.news.in
@@ -3,10 +3,10 @@
 
 ##  $Revision: 9340 $
 ##  News boot script.  Runs as "news" user.  Run from rc.whatever as:
-##     su news -c /path/to/rc.news >/dev/console
+##     su news -s /bin/sh -c /path/to/rc.news >/dev/console
 ##
 ##  Or to stop INN:
-##     su news -c '/path/to/rc.news stop'
+##     su news -s /bin/sh -c '/path/to/rc.news stop'
 
 waitforpid()
 {
