inndstart(8) InterNetNews Documentation inndstart(8)NAMEinndstart - Start innd
SYNOPSISinndstart [-P port] [-I address] [innd-options]
DESCRIPTION
The purpose of inndstart is to raise system file descrip
tor limits, open the privileged news transfer port, and
then start innd(8), passing it the open file descriptor
for the news port. inndstart is used since only privi
leged programs can perform those two operations and since
innd should not run privileged. It is installed setuid
root and drops privileges to the news user (set at config
ure time) before running innd.
Normally there is no need to run inndstart directly.
Instead, run rc.news(8) as the news user, and it will han
dle running inndstart appropriately for you.
Since inndstart is setuid root, it is extremely restric
tive about who can run it and what it is willing to do.
See the section on "SECURITY" for the full details.
inndstart can only be run by the news user; if run by any
other user, it will abort. It will also only bind to
ports 119, 433, or a port number given at configure time
with --with-innd-port among those ports below 1024,
although it can bind to any port above 1024. This is to
prevent various security exploits possible by binding to
arbitrary privileged ports.
Before running innd, inndstart cleans out the environment
and sets only those environment variables listed in the
section on "ENVIRONMENT".
OPTIONS-P port
Bind to port instead of whatever is specified by port
in inn.conf(5). Note that this is subject to the con
straints mentioned above.
-I address
Bind as address instead of whatever is specified by
bindaddress in inn.conf(5). The default behavior is
to bind to INADDR_ANY, and that's what's desired
almost all the time. This option, and the inn.conf(5)
parameter, may be useful if the machine has multiple
interface cards and innd should only be listening on a
particular one.
All other options given on the command line are passed
verbatim to innd. In addition, inndstart will give the -p
option to innd, specifying the file descriptor of the open
network socket.
SECURITYinndstart is setuid root, and therefore an expected point
of attack. It has therefore been carefully written with
security in mind. In a normal INN installation, it is
installed setuid root and executable only by users in the
news group.
Ideally, everything about inndstart's operations would be
hard-coded so that it could not be modified. Fighting
against this desire, however, is the ideal that as much of
INN's operation as possible should be configurable at run-
time using inn.conf(5), and the news system should be able
to an alternate inn.conf by setting INNCONF to the path to
that file before starting any programs. The configuration
data therefore can't be trusted.
The security model used is:
inndstart can only be executed by the news user and news
group, as determined at configure time and compiled into
inndstart as constants. Similarly, inndstart will
always setuid() and setgid() to those users before run
ning innd. This is to prevent a user other than news
but in the news group from using inndstart to leverage
that access into access to the news account.
As mentioned above, inndstart will only bind to a very
limited set of ports below 1024. There are various
attacks that can be performed using random low-numbered
ports, including exploits of the rsh family of commands
on some systems.
inndstart does as little as possible as root, dropping
privileges before performing any operations that do not
require elevated privileges.
This program therefore gives the news user the ability to
revoke system file descriptor limits and bind to the news
port, and nothing else.
DIAGNOSTICSinndstart may log the following messages to syslog (like
the rest of INN, syslog is the best place to find detailed
debugging information):
can't bind: %s
(Fatal) Unable to bind to the designated port. This
usually means that something else is already running
on the news port. Check with netstat(8) and make sure
that inetd(8) doesn't think it's running a service on
the same port you're trying to run innd on.
can't exec %s: %s
(Fatal) inndstart was unable to execute innd. Make
sure that pathbin is set correctly in inn.conf and
that innd is located in that directory and is exe
cutable by the news user.
can't getrlimit(NOFILE)
(Warning) Unable to obtain the current system resource
limit on file descriptors. Chances are something is
wrong with the *rlimit() functions. The file descrip
tor limit was left unchanged from the system default.
can't open socket: %s
(Fatal) Something went wrong in creating the network
socket. Chances are your system is out of resources
of some kind.
can't setgid(%d): %s
(Fatal) Dropping privileges to the news group failed
for some reason.
can't setgroups: %s
(Warning) Dropping all supplemental groups except the
news group failed for some reason, and the process
group membership was left unchanged. This message may
indicate a minor security hole if the news user is in
extra groups.
can't setrlimit(NOFILE, %d)
(Warning) Unable to set the system file descriptor
limit to the specified value. Either that value is
too high for your system or something else went wrong.
The file descriptor limit was left unchanged. Try
changing rlimitnofile in inn.conf to a smaller value.
can't setsockopt: %s
(Warning) inndstart attempts to set SO_REUSEADDR so
that if innd exits, it can be restarted again immedi
ately without waiting for the port to time out. For
some reason, this failed, and that option was not set
on the port.
can't setuid(%d): %s
(Fatal) Dropping privileges to the news user failed
for some reason.
can't stat pathrun (%s): %s
(Fatal) pathrun as specified in inn.conf doesn't
exist.
getgrnam(%s) failed
(Fatal) Unable to determine the GID for the compiled-
in news group. Is the news group listed in
/etc/group?
getpwnam(%s) failed
(Fatal) Unable to determine the UID for the compiled-
in news user. Is the news user listed in /etc/passwd?
invalid address %s
(Fatal) -I was specified on the command line, but the
argument wasn't a valid address. Addresses must be
given as numeric IP addresses.
invalid bindaddress in inn.conf (%s)
(Fatal) The bindaddress specified in inn.conf could
not be converted to an IP address. See inn.conf(5)
for more information about valid values.
invalid port %s
(Fatal) -P was specified on the command line, but the
argument wasn't a valid port. Ports must be port num
bers; service names are not allowed.
missing address after -I
(Fatal) -I was given on the command line, but no
address was given after the option.
missing port after -P
(Fatal) -P was given on the command line, but no port
was given after the option.
pathrun (%s) not a directory
(Fatal) pathrun as specified in inn.conf isn't a
directory. This is where innd will create its local
control socket; it should always be a directory.
pathrun (%s) owned by group %d, not %s (%d)
(Fatal) pathrun specified in inn.conf must be owned by
the news group. This is checked for security reasons.
pathrun (%s) owned by user %d, not %s (%d)
(Fatal) pathrun specified in inn.conf must be owned by
the news user. This is checked for security reasons.
ran by GID %d, who isn't %s (%d)
(Fatal) Someone not in the news group attempted to run
inndstart. If you were running inndstart as the news
user, make sure that the news user's default group is
the news group you picked at compile time (`news' by
default).
ran by UID %d, who isn't %s (%d)
(Fatal) Someone other than the news user attempted to
run inndstart. inndstart may only be run by the news
user for security reasons.
seteuid(%d) failed: %s
(Fatal) Unable to change the effective UID. This usu
ally means that inndstart was installed with the wrong
permissions. If it does have the correct permissions
(setuid root) and seteuid() to root (UID 0) is fail
ing, this may mean that your system has seteuid() but
doesn't have support for POSIX saved UIDs. If this is
the case, please report this to the INN maintainers.
setreuid(%d, %d) failed: %s
(Fatal) Unable to change the real and effective UIDs.
This message usually means that inndstart was
installed with the wrong permissions.
tried to bind to port %d
(Fatal) inndstart was told to bind to a low numbered
port (under 1024) other than 119, 433, or a port num
ber given at configure time. This is not allowed for
security reasons.
EXAMPLES
Normally, inndstart is never run directly. However, a
simple way to just restart innd without running any other
auxilliary programs or performing any of the other checks
done by rc.news(8) is to just run:
inndstart
as the news user.
To start innd on port 433, passing it the `-c21' option,
use:
inndstart-P433 -c21
ENVIRONMENT
One environment variable affects the operation of innd
start itself:
INNCONF The full path to the inn.conf(5) file to read,
rather than the default. This can be used to run
multiple copies of INN on the same machine with
different settings.
When executing innd, inndstart cleans out the entire envi
ronmnent and sets only the following variables:
BIND_INADDR
Passed verbatim from inndstart's environment.
This is apparently used on Linux.
HOME Set to pathnews from inn.conf.
LOGNAME Set to the news master, as determined at configure
time.
PATH Set to pathbin from inn.conf, pathetc from
inn.conf, and then /bin, /usr/bin, and /usr/ucb in
that order.
SHELL Set to the path to the system Bourne shell as
determined by configure (probably /bin/sh).
TMPDIR Set to pathtmp from inn.conf.
TZ Passed verbatim from inndstart's environment.
USER Set to the news master, as determined at configure
time.
FILES
inn.conf
Read for pathnews, pathbin, pathrun, pathtmp, rlimit_
nofile, bindaddress, and port.
pathbin/innd
The binary that is executed as innd and passed the
open network socket.
pathrun
Checked for existence and the right ownership.
HISTORY
Written by Russ Allbery <rra@stanford.edu> for InterNet
News.
$Id: inndstart.8,v 1.2 1999/10/23 16:25:47 rra Exp $
SEE ALSOinn.conf(5), innd(8)1999-10-23 INN 2.3 inndstart(8)
