Send inn-workers mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.isc.org/mailman/listinfo/inn-workers
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of inn-workers digest..."
Today's Topics:
1. rc.news: checking whether we run as the news user (Julien ?LIE)
2. Re: rc.news: checking whether we run as the news user
(Noel Butler)
3. Re: rc.news: checking whether we run as the news user
(Russ Allbery)
----------------------------------------------------------------------
Message: 1
Date: Wed, 24 Sep 2014 22:12:26 +0200
From: Julien ?LIE <[email protected]>
To: "[email protected]" <[email protected]>
Subject: rc.news: checking whether we run as the news user
Message-ID: <[email protected]>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Hi all,
In the rc.news man page, there is a BUGS section that mentions:
"Running rc.news start as root is never the right thing to do,
so we should at minimum check for this and error, or perhaps
change effective user ID."
I suggest to check whether rc.news is run as another user ID than the
"news" user (in all cases, be it start or stop). If it is the case, we
exit with the error:
rc.news should be run as the "news" user
where "news" is in fact the value of the runasuser keyword in inn.conf
(the real news user).
I don't think we should change effective user ID (if root). It might
hide another issue.
Would this behaviour be OK to do for INN 2.6.0 (CURRENT)?
I ask because some of you may know use cases where rc.news should be run
as root or another user than the news user.
P.-S.: To be as portable as possible, we should retrieve the current
user in a way similar to what we already do in our Makefile.global:
(whomi || perl -e 'print scalar getpwuid($>), "\n"') 2>/dev/null
--
Julien ?LIE
? Pour Rome, la direction importe peu, car tous les chemins y
m?nent. ? (Ast?rix)
------------------------------
Message: 2
Date: Thu, 25 Sep 2014 08:33:28 +1000
From: Noel Butler <[email protected]>
To: [email protected]
Subject: Re: rc.news: checking whether we run as the news user
Message-ID: <[email protected]>
Content-Type: text/plain; charset="utf-8"
On 25/09/2014 06:12, Julien ?LIE wrote:
> Hi all,
>
> In the rc.news man page, there is a BUGS section that mentions:
>
> "Running rc.news start as root is never the right thing to do,
> so we should at minimum check for this and error, or perhaps
> change effective user ID."
>
> I suggest to check whether rc.news is run as another user ID than the "news"
> user (in all cases, be it start or stop). If it is the case, we exit with the
> error:
>
> rc.news should be run as the "news" user
>
> where "news" is in fact the value of the runasuser keyword in inn.conf (the
> real news user).
> I don't think we should change effective user ID (if root). It might hide
> another issue.
>
> Would this behaviour be OK to do for INN 2.6.0 (CURRENT)?
> I ask because some of you may know use cases where rc.news should be run as
> root or another user than the news user.
>
> P.-S.: To be as portable as possible, we should retrieve the current user in
> a way similar to what we already do in our Makefile.global:
> (whomi || perl -e 'print scalar getpwuid($>), "n"') 2>/dev/null
That's going backwards...
Being a privileged port it needs somewhere root to open that port, any
starting of any privileged service should be run a root but change to
effective user after starting, its how every other heavily used common
daemon out there works - think httpd, postfix, sendmail, dovecot,
<opposition software>, the list goes on.
Secondly, given most daemons on servers are started from startup
scripts, it makes more sense to do it this way, the fact inn doesn't has
amazed me for some time. So if moving to a new major version, it makes
more sense to "get with the times" that are less finicky, time proven
standard, and hassle free, especially for new users (I did not comment
on that other previous thread, but that OP made some very good points
about modernising inn to be friendlier, but sadly seems rather than
consider it, it was instantly discarded as too hard basket, well, that's
how it came across anyhow- I note that his problem of limiting
concurrent users will not be solved easily, inn fact maybe not at all
without serious code since he wants IPv6, and most end users get
assigned a /64, how he thinks he can manage that would be interesting).
Disclaimer:
I last seriously looked at inn, ten years back.
I use another product (which works like normal daemons, start as root,
change down to news)
I am a lurker here because said product may not be suitable in time to
come (related to a previous thread) and I don't want to jump in the deep
end blind folded, so are here to observe and learn in case inn's the way
I decide to move to.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://lists.isc.org/pipermail/inn-workers/attachments/20140925/894a55f6/attachment-0001.html>
------------------------------
Message: 3
Date: Wed, 24 Sep 2014 15:50:46 -0700
From: Russ Allbery <[email protected]>
To: [email protected]
Subject: Re: rc.news: checking whether we run as the news user
Message-ID: <[email protected]>
Content-Type: text/plain
Noel Butler <[email protected]> writes:
> Being a privileged port it needs somewhere root to open that port, any
> starting of any privileged service should be run a root but change to
> effective user after starting, its how every other heavily used common
> daemon out there works - think httpd, postfix, sendmail, dovecot,
> <opposition software>, the list goes on.
But it's a poor way to do it from a security perspective, and INN does it
a better way that doesn't require starting the entire complex binary as
root and hoping there are no bugs before you drop permissions. The reason
why not many other software packages do what INN does is because it's
tricky and requires two completely separate implementations, one for
System V hosts and one for BSD hosts, but it does work, and it reduces the
footprint of code running as root by quite a lot.
For most users, rc.news is an internal implementation detail, and the init
script that's shipped with the distribution packages (or the init script
that comes with INN) does the right thing, so they don't have to think
about this particular detail.
I would say that we should just drop permissions in rc.news itself, but
that's irritating to do in a complex shell script since you basically have
to wrap every operation in a call to su. In the long run, replacing
rc.news with good systemd / OpenRC / launchd / upstart / etc.
configurations would be the best approach, if a fair bit of work. Most of
what rc.news does is start various daemons the hard way or kick off
various one-time cleanup jobs, which is now handled much better by modern
init systems.
--
Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/>
Please send questions to the list rather than mailing me directly.
<http://www.eyrie.org/~eagle/faqs/questions.html> explains why.
------------------------------
_______________________________________________
inn-workers mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/inn-workers
End of inn-workers Digest, Vol 64, Issue 14
*******************************************
