1INNBIND(8)                InterNetNews Documentation                INNBIND(8)
2
3
4

NAME

6       innbind - Helper program to bind sockets to privileged ports
7

SYNOPSIS

9       innbind [-p] fd,family,address,port [...]
10

DESCRIPTION

12       innbind is a helper program that's not meant to be run directly.
13       Instead, innd and nnrpd use it internally to bind to ports that require
14       root privileges to bind to.
15
16       This program must be installed setuid root in order for innd or nnrpd
17       to bind to ports under 1024.  The only functions that it's willing to
18       perform are to bind an open file descriptor to a given address and port
19       or to create a new socket, bind it, and return the bound socket to its
20       caller.  It can only be run as the news user (as specified at configure
21       time), and will only bind to ports 119, 433, 563, an additional port
22       specified with the --with-innd-port argument to configure, or ports
23       numbered 1024 or higher.
24
25       Each argument to innbind must be a comma-separated list of four
26       elements.  The first is the file descriptor number that should be
27       bound, the second is the numeric family of the socket (AF_INET or
28       AF_INET6), the third is the local address to bind to (in dotted-quad
29       format for IPv4 and in colon-separated address format for IPv6), and
30       the fourth is the port number.  To bind to all addresses with IPv4, use
31       0.0.0.0 as the address.  To bind to all addresses with IPv6, use "::"
32       as the address.
33
34       Multiple arguments can be specified to tell innbind to bind multiple
35       sockets at the same time.  Any errors (other than permission denied
36       -- see below) encountered will cause innbind to abort, and error
37       messages will be sent both to syslog and to standard error.
38
39       By default, innbind attempts to just bind the already open file
40       descriptor that it inherits from its caller.  For each successfully
41       bound file descriptor (in the order given on the command line), innbind
42       prints "ok" and a newline to its standard output.
43
44       On some systems (apparently just STREAMS-based systems), however, even
45       a setuid root program cannot bind a socket to a privileged port that
46       was created by a process that didn't have permissions.  If innbind gets
47       permission denied when trying to bind a socket, it will print "no" and
48       a newline to its standard output.  It will then create a new socket,
49       bind it as specified, and then attempt to pass that socket back to its
50       caller using the I_SENDFD STREAMS ioctl.  The caller should receive
51       that file descriptor with I_RECVFD and use it instead of the one that
52       it created.
53
54       Note that file descriptor passing is only supported on STREAMS-based
55       systems since it is done with ioctls over a pipe.  However, it is
56       believed that those systems are exactly the systems that can't simply
57       bind the inherited file descriptor.  If this assumption proves to be
58       incorrect, traditional BSD file descriptor passing over a Unix domain
59       socket will have to be added.
60

OPTIONS

62       -p  If given as the first command-line argument, no attempt will be
63           made to bind the inherited file descriptor and innbind will only
64           try creation of a new file descriptor and passing it back via
65           standard output.  This option is primarily useful for testing.
66

SECURITY

68       As innbind is normally installed setuid root, security is even more of
69       an issue for it than for other parts of INN.  It is a fairly short
70       program, and if you understand C, you are encouraged to audit it
71       yourself to be certain that it does only what it is supposed to do.
72       The only INN library functions it uses are the vector functions, the
73       message functions for error reporting, and xstrdup.
74
75       The ports that will be bound are restricted to prevent potential
76       attacks made possible by the ability to bind low-numbered ports, such
77       as exploits of the rsh(1) family of commands on some systems.  If
78       innbind is installed setuid root, it can only be executed by the news
79       user to prevent other users on the system from being able to bind to
80       even those few privileged ports that it allows.
81
82       innbind uses no external configuration files; the only files it might
83       open are through the system getpwnam(3) service to get the UID of the
84       news user.  The only user input that it accepts are its command-line
85       arguments.
86

DIAGNOSTICS

88       innbind may log the following messages to syslog and print them to
89       standard error.
90
91       cannot create socket for %s: %s
92           (Fatal) innbind fell back on attempting to create a new socket to
93           bind for the given argument, and the socket creation failed.
94
95       cannot bind socket for %s: %s
96           (Fatal) Calling bind for the socket corresponding to the given
97           argument failed with a system error.  If the error indicates
98           permission denied, make sure that innbind is setuid root.  This can
99           also be caused by trying to use IPv6 on a system whose kernel does
100           not support it.
101
102       cannot bind to restricted port %hu in %s
103           (Fatal) The port number portion of the given command-line argument
104           is for a port below 1024 which is not 119, 433, 563, or a port
105           given to --with-innd-port at configure time.  Other ports are not
106           allowed for security reasons.
107
108       cannot get socket options for file descriptor %d: %s
109           (Fatal) innbind was unable to get the socket options for that file
110           descriptor.  The most likely cause of this error is passing the
111           wrong file descriptor number to innbind (a file descriptor that
112           isn't open, or that corresponds to a regular file rather than a
113           network socket).
114
115       cannot get UID for %s
116           (Fatal) innbind was unable to get the UID for the news user
117           specified during configure (and defaulting to "news").  This
118           normally means that user isn't in the system passwd file.
119
120       cannot mark socket reusable for %s: %s
121           (Fatal) innbind created a new socket for the given argument but was
122           unable to mark its bind address reusable (the SO_REUSEADDR socket
123           option).
124
125       cannot pass file descriptor: %s
126           (Fatal) innbind created and bound a new file descriptor but was
127           unable to pass it back to its caller via its standard output, using
128           the I_SENDFD STREAMS ioctl.
129
130       invalid file descriptor %d: not SOCK_STREAM
131           (Fatal) The given file descriptor is not a SOCK_STREAM socket.
132           innbind can only bind SOCK_STREAM sockets.
133
134       invalid IPv4 address %s in %s
135           (Fatal) The IPv4 address specified in the given command-line option
136           could not be parsed by inet_aton(3).  IPv4 addresses should be
137           specified in the standard dotted-quad format (10.2.3.4).
138
139       invalid IPv6 address %s in %s
140           (Fatal) The IPv6 address specified in the given command-line option
141           could not be parsed by inet_pton(3).  IPv6 addresses should be
142           specified in RFC 4291 format (1080:0:0:0:8:800:200C:417A or
143           1080::8:800:200C:417A).
144
145       invalid command-line argument %s
146           (Fatal) The specified command-line argument could not be parsed or
147           was not in the correct format.
148
149       invalid file descriptor %s in %s
150           (Fatal) The file descriptor portion of the given command-line
151           argument is not a non-negative integer.
152
153       invalid port number %s in %s
154           (Fatal) The port number portion of the given command-line argument
155           is not a non-negative integer.
156
157       invalid protocol family %s in %s
158           (Fatal) The protocol family portion of the given command-line
159           argument is not a non-negative integer.  It should be equal to
160           either AF_INET or AF_INET6 on the system where innbind is run.
161
162       must be run by user %s (%lu), not %lu
163           (Fatal) When setuid root, innbind may only be run by the news user
164           as specified at configure time ("news" by default), for security
165           reasons.
166
167       no addresses specified
168           (Fatal) No arguments were given on the command line (except maybe
169           -p).
170
171       port may not be zero in %s
172           (Fatal) The port number portion of the given command-line argument
173           was zero.
174
175       unknown protocol family %s in %s
176           (Fatal) The protocol number portion of the given command-line
177           argument is neither AF_INET nor AF_INET6.
178

EXAMPLES

180       As mentioned above, innbind is never run directly, only by innd and
181       other programs that need to bind to and listen to network ports.
182       Sample invocations by innd would be:
183
184           innbind 3,10,::,119
185
186       to bind the IPv6 socket on file descriptor 3 to port 119, all
187       addresses, or:
188
189           innbind 6,2,10.0.0.3,433
190
191       to bind the IPv4 socket on file descriptor 6 to port 433 in the address
192       10.0.0.3.
193

HISTORY

195       Written by Russ Allbery <rra@stanford.edu> for InterNetNews.
196
197       $Id: innbind.pod 8894 2010-01-17 13:04:04Z iulius $
198

SEE ALSO

200       inet_aton(3), inet_pton(3), innd(8), nnrpd(8).
201
202
203
204INN 2.5.2                         2010-08-11                        INNBIND(8)
Impressum