Send inn-workers mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.isc.org/mailman/listinfo/inn-workers
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of inn-workers digest..."
Today's Topics:
1. Re: rc.news: checking whether we run as the news user
(Julien ?LIE)
2. Re: rc.news: checking whether we run as the news user
(Noel Butler)
3. Re: rc.news: checking whether we run as the news user
(Russ Allbery)
4. Re: rc.news: checking whether we run as the news user
(Russ Allbery)
----------------------------------------------------------------------
Message: 1
Date: Thu, 25 Sep 2014 23:01:03 +0200
From: Julien ?LIE <[email protected]>
To: [email protected]
Subject: Re: rc.news: checking whether we run as the news user
Message-ID: <[email protected]>
Content-Type: text/plain; charset=ISO-8859-1
Hi Noel,
>> I suggest to check whether rc.news is run as another user ID than
>> the "news" user (in all cases, be it start or stop).
>
> That's going backwards...
>
> Being a privileged port it needs somewhere root to open that port, any
> starting of any privileged service should be run a root but change to
> effective user after starting, its how every other heavily used common
> daemon out there works - think httpd, postfix, sendmail, dovecot,
> <opposition software>, the list goes on.
In complement to Russ' answer, I would add that the binding is done thanks to a
setuid root program named innbind. It permits innd and nnrpd to bind to ports
under 1024. Quoting its documentation, "the only functions that it's willing
to perform are to bind an open file descriptor to a given address and port or
to create a new socket, bind it, and return the bound socket to its caller. It
can only be run as the news user (as specified at configure time), and will
only bind to ports 119, 433, 563, an additional port specified with the
--with-innd-port argument to configure, or ports numbered 1024 or higher."
That's why the rc.news script does not need being run as the root user.
> Secondly, given most daemons on servers are started from startup
> scripts, it makes more sense to do it this way, the fact inn doesn't has
> amazed me for some time.
INN of course is started via a startup script. I have been using on my Debian
an init.d/inn2 script for years, consisting of:
start () {
su news -c /home/news/bin/rc.news >> /var/log/news/rc.news 2>&1
su news -c '/home/news/bin/nnrpd -D -c /home/news/etc/readers-ssl.conf -p
563 -S' >> /var/log/news/rc.news 2>&1
}
stop () {
start-stop-daemon --stop --name nnrpd --quiet --oknodo --chuid news:news \
>> /var/log/news/rc.news 2>&1
su news -c '/home/news/bin/rc.news stop' >> /var/log/news/rc.news 2>&1
}
case "$1" in
start)
echo -n "Starting news server: "
start
echo "done."
;;
stop)
echo -n "Stopping news server: "
stop
echo "done."
;;
reload|force-reload)
echo -n "Reloading most INN configuration files: "
/home/news/bin/ctlinnd -t 20 reload '' 'init script'
;;
restart)
echo -n "Restarting innd: "
if [ -f /var/run/news/innd.pid ]; then
/home/news/bin/ctlinnd -t 20 throttle 'init script' > /dev/null ||
true
/home/news/bin/ctlinnd -t 20 xexec innd > /dev/null || start
else
start
fi
echo "done."
;;
*)
echo "Usage: /etc/init.d/inn2 start|stop|restart|reload" >&2
exit 1
;;
esac
That's it.
As Russ says, rc.news is an internal program shipped with INN, called by the
startup script.
As you mention httpd earlier in your mail, I wish to recall that my Debian
init.d/apache2 startup script has 286 lines and do lots of control. It then
calls apache2ctl, which is a shell script (equivalent to rc.news) of 180 lines.
apache2ctl finally starts the apache2 binary (httpd), the same way rc.news
finally starts the innd binary.
How INN is started then shouldn't amaze you, as it is not that unusual!
> I did not comment
> on that other previous thread, but that OP made some very good points
> about modernising inn to be friendlier, but sadly seems rather than
> consider it, it was instantly discarded as too hard basket
Well I'm sorry to have led to that impression.
I understand the point made and tried to give a few pointers to help him manage
to achieve his goal of limiting concurrent users. Unfortunately, it was not
enough owing to performance issues. I couldn't give more, and I do not
currently have enough time (and also probably experience) to code what he would
have like to see in INN.
--
Julien ?LIE
? Pour Rome, la direction importe peu, car tous les chemins y
m?nent. ? (Ast?rix)
------------------------------
Message: 2
Date: Fri, 26 Sep 2014 10:17:17 +1000
From: Noel Butler <[email protected]>
To: [email protected]
Subject: Re: rc.news: checking whether we run as the news user
Message-ID: <[email protected]>
Content-Type: text/plain; charset="utf-8"
Hi Julien,
On 26/09/2014 07:01, Julien ?LIE wrote:
> As you mention httpd earlier in your mail, I wish to recall that my Debian
> init.d/apache2 startup script has 286 lines and do lots of control. It then
> calls apache2ctl, which is a shell script (equivalent to rc.news) of 180
> lines.
> apache2ctl finally starts the apache2 binary (httpd), the same way rc.news
> finally starts the innd binary.
I can run /etc/rc.d/rc.httpd (as its system startup at boot), apachectl,
and even httpd itself by hand as root and it starts without the need to
su prior to doing so. Inn requires su before its scripts specifically
before running those type of files, as your example boot-time startup
script shows, so its not actually the same :)
>> I did not comment on that other previous thread, but that OP made some very
>> good points about modernising inn to be friendlier, but sadly seems rather
>> than consider it, it was instantly discarded as too hard basket
>
> Well I'm sorry to have led to that impression.
> I understand the point made and tried to give a few pointers to help him
> manage to achieve his goal of limiting concurrent users. Unfortunately, it
> was not enough owing to performance issues. I couldn't give more, and I do
> not currently have enough time (and also probably experience) to code what he
> would have like to see in INN.
It would be a massive amount of work for anyone, as I mentioned, since
he wanted it for IPv6, limiting users would have to be based on subnet,
but at what point do you draw that line? We've had that discussion many
a time with DNSBL IPv6 listings, what limit do you put on it, though the
code in rbldnsd uses /64, with /128 exemptions, only half the people
agree, many say its not enough, many say its overkill, you'll never win
unless you allow a configurable option, and I can see 1K lines of code
turning into 100K lines of code :)
I mentioned typically a /64 for each user, but some get /56's and others
I've seen say they only get a /112, so limiting concurrent users will be
a problem regardless of if its inn,<other newsd>, or any other daemon
even unrelated to news, so he really is wasting his time on that one the
moment he opens his doors to IPv6, from a personal point of view, I too
think the required time and effort doesn't match the current need, maybe
it will in ten years, but certainly not now.
Cheers
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://lists.isc.org/pipermail/inn-workers/attachments/20140926/0cd85aaa/attachment-0001.html>
------------------------------
Message: 3
Date: Thu, 25 Sep 2014 18:04:03 -0700
From: Russ Allbery <[email protected]>
To: [email protected]
Subject: Re: rc.news: checking whether we run as the news user
Message-ID: <[email protected]>
Content-Type: text/plain
Noel Butler <[email protected]> writes:
> I can run /etc/rc.d/rc.httpd (as its system startup at boot), apachectl,
> and even httpd itself by hand as root and it starts without the need to
> su prior to doing so. Inn requires su before its scripts specifically
> before running those type of files, as your example boot-time startup
> script shows, so its not actually the same :)
It wouldn't be hard to drop permissions in innd immediately at the top of
main() if it discovers that it's run as root instead of just bailing out.
It's always hard to figure out the right balance between attempting to
self-correct (and possibly getting things wrong) versus just telling the
user something looks wrong and leaving it to them to sort out. But maybe
it would be less confusing to just switch to the right user if we can.
--
Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/>
Please send questions to the list rather than mailing me directly.
<http://www.eyrie.org/~eagle/faqs/questions.html> explains why.
------------------------------
Message: 4
Date: Thu, 25 Sep 2014 19:04:11 -0700
From: Russ Allbery <[email protected]>
To: [email protected]
Subject: Re: rc.news: checking whether we run as the news user
Message-ID: <[email protected]>
Content-Type: text/plain
Russ Allbery <[email protected]> writes:
> Noel Butler <[email protected]> writes:
>> I can run /etc/rc.d/rc.httpd (as its system startup at boot),
>> apachectl, and even httpd itself by hand as root and it starts without
>> the need to su prior to doing so. Inn requires su before its scripts
>> specifically before running those type of files, as your example
>> boot-time startup script shows, so its not actually the same :)
> It wouldn't be hard to drop permissions in innd immediately at the top
> of main() if it discovers that it's run as root instead of just bailing
> out. It's always hard to figure out the right balance between
> attempting to self-correct (and possibly getting things wrong) versus
> just telling the user something looks wrong and leaving it to them to
> sort out. But maybe it would be less confusing to just switch to the
> right user if we can.
Oh, wait, we already do this.
So, Noel, are you sure that there's actually a problem with INN here? I
think it already does exactly what you want it to do.
--
Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/>
Please send questions to the list rather than mailing me directly.
<http://www.eyrie.org/~eagle/faqs/questions.html> explains why.
------------------------------
_______________________________________________
inn-workers mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/inn-workers
End of inn-workers Digest, Vol 64, Issue 15
*******************************************
