INNDSTART(8) InterNetNews Documentation INNDSTART(8)NAMEinndstart - Start innd
SYNOPSISinndstart [-P port] [-I address] [innd-options]
DESCRIPTION
The purpose of inndstart is to raise system file descriptor limits,
open the privileged news transfer port, and then start innd(8), passing
it the open file descriptor for the news port. inndstart is used since
only privileged programs can perform those two operations and since
innd should not run with elevated privileges. It is installed setuid
root and drops privileges to the news user (as set at configure time)
before running innd.
Normally there is no need to run inndstart directly. Instead, run
rc.news(8) as the news user, and it will handle running inndstart
appropriately for you.
Since inndstart is setuid root, it is extremely restrictive about who
can run it and what it is willing to do. See "SECURITY" for the full
details.
inndstart can only be run by the news user; if run by any other user,
it will abort. It will also only bind to ports 119, 433, or a port
number given at configure time with --with-innd-port among those ports
below 1024, although it can bind to any port above 1024. This is to
prevent various security exploits possible by binding to arbitrary
privileged ports.
Before running innd, inndstart cleans out the environment and sets only
those environment variables listed in "ENVIRONMENT".
OPTIONS-P port
Bind to port instead of whatever is specified by port in inn.conf.
Note that this is subject to the constraints mentioned above.
-I address
Bind as address instead of whatever is specified by bindaddress in
inn.conf. The default behavior is to bind to INADDR_ANY, and
that's what's desired almost all the time. This option, and the
inn.conf parameter, may be useful if the machine has multiple
interface cards and innd should only be listening on a particular
one.
All other options given on the command line are passed verbatim to
innd. In addition, inndstart will give the -p option to innd, specify‐
ing the file descriptor of the open network socket.
SECURITYinndstart is setuid root, and therefore an expected point of attack.
It has therefore been carefully written with security in mind. In a
normal INN installation, it is installed setuid root and executable
only by users in the news group.
Ideally, everything about inndstart's operations would be hard-coded so
that it could not be modified. Fighting against this desire, however,
is the ideal that as much of INN's operation as possible should be con‐
figurable at run-time using inn.conf, and the news system should be
able to an alternate inn.conf by setting INNCONF to the path to that
file before starting any programs. The configuration data therefore
can't be trusted.
The security model used is:
· inndstart can only be executed by the news user and news group, as
determined at configure time and compiled into inndstart as con‐
stants. Similarly, inndstart will always setuid() and setgid() to
those users before running innd. This is to prevent a user other
than news but in the news group from using inndstart to leverage that
access into access to the news account.
· As mentioned above, inndstart will only bind to a very limited subset
of ports below 1024. There are various attacks that can be performed
using random low-numbered ports, including exploits of the rsh(1)
family of commands on some systems.
· inndstart does as little as possible as root, dropping privileges
before performing any operations that do not require elevated privi‐
leges.
This program therefore gives the news user the ability to revoke system
file descriptor limits and bind to the news port, and nothing else.
DIAGNOSTICSinndstart may log the following messages to syslog and print them to
stderr.
can't bind: %s
(Fatal) Unable to bind to the designated port. This usually means
that something else is already running on the news port. Check
with netstat(8) and make sure that inetd(8) doesn't think it's run‐
ning a service on the same port you're trying to run innd on.
can't bind to restricted port %d
(Fatal) inndstart was told to bind to a low numbered port (under
1024) other than 119, 433, or a port number given at configure
time. This is not allowed for security reasons. If you're running
innd on a port other than 119 or 433, you need to give the
--with-innd-port flag to "configure" when you compile INN.
can't exec %s: %s
(Fatal) inndstart was unable to execute innd. Make sure that path‐
bin is set correctly in inn.conf and that innd is located in that
directory and is executable by the news user.
can't getgrnam(%s)
(Fatal) Unable to determine the GID for the compiled-in news group.
Perhaps the news group is not listed in /etc/group.
can't getpwnam(%s)
(Fatal) Unable to determine the UID for the compiled-in news user.
Perhaps the news user is not listed in /etc/passwd.
can't open socket: %s
(Fatal) Something went wrong in creating the network socket.
Chances are your system is out of resources of some kind.
can't set file descriptor limit to %d: %s
(Warning) Unable to set the system file descriptor limit to the
specified value; the limit was left unchanged. Perhaps that value
is too high for your system. Try changing rlimitnofile in inn.conf
to a smaller value.
can't set SO_REUSEADDR: %s
(Warning) inndstart attempts to set SO_REUSEADDR using setsock‐
opt(2) so that if innd exits, it can be restarted again immediately
without waiting for the port to time out. For some reason, this
failed, and that option was not set on the port.
can't seteuid to %d: %s
(Fatal) Unable to change the effective UID. If inndstart has the
correct permissions (setuid root) and seteuid to root (UID 0) is
failing, this may mean that your system has seteuid(2) but doesn't
have support for POSIX saved UIDs. If this is the case, please
report this to the INN maintainers.
can't setgid to %d: %s
(Fatal) Dropping privileges to the news group failed for some rea‐
son.
can't setgroups (is inndstart setuid root?): %s
(Warning) Dropping all supplemental groups except the news group
failed for some reason, and the process group membership was left
unchanged. This almost always indicates that inndstart isn't
setuid root as it has to be to do what it does. Make sure that
inndstart is setuid root, owned by group news, and mode 4710.
can't setuid to %d: %s
(Fatal) Dropping privileges to the news user failed for some rea‐
son.
invalid address %s
(Fatal) -I was specified on the command line, but the argument
wasn't a valid address. Addresses must be given as numeric IP
addresses.
invalid bindaddress in inn.conf (%s)
(Fatal) The bindaddress specified in inn.conf could not be con‐
verted to an IP address. See inn.conf(5) for more information
about valid values.
invalid port %s (must be a number)
(Fatal) -P was specified on the command line, but the argument
wasn't a valid port. Ports must be port numbers; service names are
not allowed.
missing address after -I
(Fatal) -I was given on the command line, but no address was given
after the option.
missing port after -P
(Fatal) -P was given on the command line, but no port was given
after the option.
must be run by user %s (%d), not %d
(Fatal) Someone other than the news user attempted to run innd‐
start. inndstart may only be run by the news user for security
reasons.
EXAMPLES
Normally, inndstart is never run directly. However, a simple way to
just restart innd (if it is not running) without running any other aux‐
illiary programs or performing any of the other checks done by
rc.news(8) is to just run:
inndstart
as the news user.
To start innd on port 433, passing it the "-c21" option, use:
inndstart-P433 -c21
ENVIRONMENT
One environment variable affects the operation of inndstart itself:
INNCONF The full path to the inn.conf(5) file to read, rather than the
default. This can be used to run multiple copies of INN on the
same machine with different settings.
When executing innd, inndstart cleans out the entire environmnent and
sets only the following variables:
BIND_INADDR
Passed verbatim from inndstart's environment. This is used by
various programs to override the bindaddress parameter in
inn.conf and therefore must be in innd's environment for pro‐
grams like innfeed(8).
HOME Set to pathnews from inn.conf.
LOGNAME Set to the news master, as determined at configure time.
PATH Set to pathbin from inn.conf, pathetc from inn.conf, and then
/bin, /usr/bin, and /usr/ucb in that order.
SHELL Set to the path to the system Bourne shell as determined by
configure (probably /bin/sh).
TMPDIR Set to pathtmp from inn.conf.
TZ Passed verbatim from inndstart's environment.
USER Set to the news master, as determined at configure time.
FILES
inn.conf
Read for pathnews, pathbin, pathtmp, rlimitnofile, bindaddress, and
port.
pathbin/innd
The binary that is executed as innd and passed the open network
socket.
HISTORY
Written by Russ Allbery <rra@stanford.edu> for InterNetNews.
$Id: inndstart.8 5912 2002-12-03 05:31:11Z vinocur $
SEE ALSOinn.conf(5), innd(8)INN 2.4.0 2002-12-03 INNDSTART(8)
