1INNDSTART(8)              InterNetNews Documentation              INNDSTART(8)
2
3
4

NAME

6       inndstart - Start innd
7

SYNOPSIS

9       inndstart [-P port] [-I address] [innd-options]
10

DESCRIPTION

12       The purpose of inndstart is to raise system file descriptor limits,
13       open the privileged news transfer port, and then start innd(8), passing
14       it the open file descriptor for the news port.  inndstart is used since
15       only privileged programs can perform those two operations and since
16       innd should not run with elevated privileges.  It is installed setuid
17       root and drops privileges to the news user (as set at configure time)
18       before running innd.
19
20       Normally there is no need to run inndstart directly.  Instead, run
21       rc.news(8) as the news user, and it will handle running inndstart
22       appropriately for you.
23
24       Since inndstart is setuid root, it is extremely restrictive about who
25       can run it and what it is willing to do.  See "SECURITY" for the full
26       details.
27
28       inndstart can only be run by the news user; if run by any other user,
29       it will abort.  It will also only bind to ports 119, 433, or a port
30       number given at configure time with --with-innd-port among those ports
31       below 1024, although it can bind to any port above 1024.  This is to
32       prevent various security exploits possible by binding to arbitrary
33       privileged ports.
34
35       Before running innd, inndstart cleans out the environment and sets only
36       those environment variables listed in "ENVIRONMENT".
37

OPTIONS

39       -P port
40           Bind to port instead of whatever is specified by port in inn.conf.
41           Note that this is subject to the constraints mentioned above.
42
43       -I address
44           Bind as address instead of whatever is specified by bindaddress in
45           inn.conf.  The default behavior is to bind to INADDR_ANY, and
46           that's what's desired almost all the time.  This option, and the
47           inn.conf parameter, may be useful if the machine has multiple
48           interface cards and innd should only be listening on a particular
49           one.
50
51       All other options given on the command line are passed verbatim to
52       innd.  In addition, inndstart will give the -p option to innd, specify‐
53       ing the file descriptor of the open network socket.
54

SECURITY

56       inndstart is setuid root, and therefore an expected point of attack.
57       It has therefore been carefully written with security in mind.  In a
58       normal INN installation, it is installed setuid root and executable
59       only by users in the news group.
60
61       Ideally, everything about inndstart's operations would be hard-coded so
62       that it could not be modified.  Fighting against this desire, however,
63       is the ideal that as much of INN's operation as possible should be con‐
64       figurable at run-time using inn.conf, and the news system should be
65       able to an alternate inn.conf by setting INNCONF to the path to that
66       file before starting any programs.  The configuration data therefore
67       can't be trusted.
68
69       The security model used is:
70
71       · inndstart can only be executed by the news user and news group, as
72         determined at configure time and compiled into inndstart as con‐
73         stants.  Similarly, inndstart will always setuid() and setgid() to
74         those users before running innd.  This is to prevent a user other
75         than news but in the news group from using inndstart to leverage that
76         access into access to the news account.
77
78       · As mentioned above, inndstart will only bind to a very limited subset
79         of ports below 1024.  There are various attacks that can be performed
80         using random low-numbered ports, including exploits of the rsh(1)
81         family of commands on some systems.
82
83       · inndstart does as little as possible as root, dropping privileges
84         before performing any operations that do not require elevated privi‐
85         leges.
86
87       This program therefore gives the news user the ability to revoke system
88       file descriptor limits and bind to the news port, and nothing else.
89

DIAGNOSTICS

91       inndstart may log the following messages to syslog and print them to
92       stderr.
93
94       can't bind: %s
95           (Fatal) Unable to bind to the designated port.  This usually means
96           that something else is already running on the news port.  Check
97           with netstat(8) and make sure that inetd(8) doesn't think it's run‐
98           ning a service on the same port you're trying to run innd on.
99
100       can't bind to restricted port %d
101           (Fatal) inndstart was told to bind to a low numbered port (under
102           1024) other than 119, 433, or a port number given at configure
103           time.  This is not allowed for security reasons.  If you're running
104           innd on a port other than 119 or 433, you need to give the
105           --with-innd-port flag to "configure" when you compile INN.
106
107       can't exec %s: %s
108           (Fatal) inndstart was unable to execute innd.  Make sure that path‐
109           bin is set correctly in inn.conf and that innd is located in that
110           directory and is executable by the news user.
111
112       can't getgrnam(%s)
113           (Fatal) Unable to determine the GID for the compiled-in news group.
114           Perhaps the news group is not listed in /etc/group.
115
116       can't getpwnam(%s)
117           (Fatal) Unable to determine the UID for the compiled-in news user.
118           Perhaps the news user is not listed in /etc/passwd.
119
120       can't open socket: %s
121           (Fatal) Something went wrong in creating the network socket.
122           Chances are your system is out of resources of some kind.
123
124       can't set file descriptor limit to %d: %s
125           (Warning) Unable to set the system file descriptor limit to the
126           specified value; the limit was left unchanged.  Perhaps that value
127           is too high for your system.  Try changing rlimitnofile in inn.conf
128           to a smaller value.
129
130       can't set SO_REUSEADDR: %s
131           (Warning) inndstart attempts to set SO_REUSEADDR using setsock‐
132           opt(2) so that if innd exits, it can be restarted again immediately
133           without waiting for the port to time out.  For some reason, this
134           failed, and that option was not set on the port.
135
136       can't seteuid to %d: %s
137           (Fatal) Unable to change the effective UID.  If inndstart has the
138           correct permissions (setuid root) and seteuid to root (UID 0) is
139           failing, this may mean that your system has seteuid(2) but doesn't
140           have support for POSIX saved UIDs.  If this is the case, please
141           report this to the INN maintainers.
142
143       can't setgid to %d: %s
144           (Fatal) Dropping privileges to the news group failed for some rea‐
145           son.
146
147       can't setgroups (is inndstart setuid root?): %s
148           (Warning) Dropping all supplemental groups except the news group
149           failed for some reason, and the process group membership was left
150           unchanged.  This almost always indicates that inndstart isn't
151           setuid root as it has to be to do what it does.  Make sure that
152           inndstart is setuid root, owned by group news, and mode 4710.
153
154       can't setuid to %d: %s
155           (Fatal) Dropping privileges to the news user failed for some rea‐
156           son.
157
158       invalid address %s
159           (Fatal) -I was specified on the command line, but the argument
160           wasn't a valid address.  Addresses must be given as numeric IP
161           addresses.
162
163       invalid bindaddress in inn.conf (%s)
164           (Fatal) The bindaddress specified in inn.conf could not be con‐
165           verted to an IP address.  See inn.conf(5) for more information
166           about valid values.
167
168       invalid port %s (must be a number)
169           (Fatal) -P was specified on the command line, but the argument
170           wasn't a valid port.  Ports must be port numbers; service names are
171           not allowed.
172
173       missing address after -I
174           (Fatal) -I was given on the command line, but no address was given
175           after the option.
176
177       missing port after -P
178           (Fatal) -P was given on the command line, but no port was given
179           after the option.
180
181       must be run by user %s (%d), not %d
182           (Fatal) Someone other than the news user attempted to run innd‐
183           start.  inndstart may only be run by the news user for security
184           reasons.
185

EXAMPLES

187       Normally, inndstart is never run directly.  However, a simple way to
188       just restart innd (if it is not running) without running any other aux‐
189       illiary programs or performing any of the other checks done by
190       rc.news(8) is to just run:
191
192           inndstart
193
194       as the news user.
195
196       To start innd on port 433, passing it the "-c21" option, use:
197
198           inndstart -P433 -c21
199

ENVIRONMENT

201       One environment variable affects the operation of inndstart itself:
202
203       INNCONF The full path to the inn.conf(5) file to read, rather than the
204               default.  This can be used to run multiple copies of INN on the
205               same machine with different settings.
206
207       When executing innd, inndstart cleans out the entire environmnent and
208       sets only the following variables:
209
210       BIND_INADDR
211               Passed verbatim from inndstart's environment.  This is used by
212               various programs to override the bindaddress parameter in
213               inn.conf and therefore must be in innd's environment for pro‐
214               grams like innfeed(8).
215
216       HOME    Set to pathnews from inn.conf.
217
218       LOGNAME Set to the news master, as determined at configure time.
219
220       PATH    Set to pathbin from inn.conf, pathetc from inn.conf, and then
221               /bin, /usr/bin, and /usr/ucb in that order.
222
223       SHELL   Set to the path to the system Bourne shell as determined by
224               configure (probably /bin/sh).
225
226       TMPDIR  Set to pathtmp from inn.conf.
227
228       TZ      Passed verbatim from inndstart's environment.
229
230       USER    Set to the news master, as determined at configure time.
231

FILES

233       inn.conf
234           Read for pathnews, pathbin, pathtmp, rlimitnofile, bindaddress, and
235           port.
236
237       pathbin/innd
238           The binary that is executed as innd and passed the open network
239           socket.
240

HISTORY

242       Written by Russ Allbery <rra@stanford.edu> for InterNetNews.
243
244       $Id: inndstart.8 5912 2002-12-03 05:31:11Z vinocur $
245

SEE ALSO

247       inn.conf(5), innd(8)
248
249
250
251INN 2.4.0                         2002-12-03                      INNDSTART(8)
Impressum