1INNDSTART(8) InterNetNews Documentation INNDSTART(8)
2
6 inndstart - Start innd
7
9 inndstart [-P port] [-I address] [innd-options]
10
12 The purpose of inndstart is to raise system file descriptor limits,
13 open the privileged news transfer port, and then start innd(8), passing
14 it the open file descriptor for the news port. inndstart is used since
15 only privileged programs can perform those two operations and since
16 innd should not run with elevated privileges. It is installed setuid
17 root and drops privileges to the news user (as set at configure time)
18 before running innd.
19 Normally there is no need to run inndstart directly. Instead, run
21 rc.news(8) as the news user, and it will handle running inndstart
22 appropriately for you.
23 Since inndstart is setuid root, it is extremely restrictive about who
25 can run it and what it is willing to do. See "SECURITY" for the full
26 details.
27 inndstart can only be run by the news user; if run by any other user,
29 it will abort. It will also only bind to ports 119, 433, or a port
30 number given at configure time with --with-innd-port among those ports
31 below 1024, although it can bind to any port above 1024. This is to
32 prevent various security exploits possible by binding to arbitrary
33 privileged ports.
34 Before running innd, inndstart cleans out the environment and sets only
36 those environment variables listed in "ENVIRONMENT".
37
39 -P port
40 Bind to port instead of whatever is specified by port in inn.conf.
41 Note that this is subject to the constraints mentioned above.
42 -I address
44 Bind as address instead of whatever is specified by bindaddress in
45 inn.conf. The default behavior is to bind to INADDR_ANY, and
46 that's what's desired almost all the time. This option, and the
47 inn.conf parameter, may be useful if the machine has multiple
48 interface cards and innd should only be listening on a particular
49 one.
50 All other options given on the command line are passed verbatim to
52 innd. In addition, inndstart will give the -p option to innd, specify‐
53 ing the file descriptor of the open network socket.
54
56 inndstart is setuid root, and therefore an expected point of attack.
57 It has therefore been carefully written with security in mind. In a
58 normal INN installation, it is installed setuid root and executable
59 only by users in the news group.
60 Ideally, everything about inndstart's operations would be hard-coded so
62 that it could not be modified. Fighting against this desire, however,
63 is the ideal that as much of INN's operation as possible should be con‐
64 figurable at run-time using inn.conf, and the news system should be
65 able to an alternate inn.conf by setting INNCONF to the path to that
66 file before starting any programs. The configuration data therefore
67 can't be trusted.
68 The security model used is:
70 · inndstart can only be executed by the news user and news group, as
72 determined at configure time and compiled into inndstart as con‐
73 stants. Similarly, inndstart will always setuid() and setgid() to
74 those users before running innd. This is to prevent a user other
75 than news but in the news group from using inndstart to leverage that
76 access into access to the news account.
77 · As mentioned above, inndstart will only bind to a very limited subset
79 of ports below 1024. There are various attacks that can be performed
80 using random low-numbered ports, including exploits of the rsh(1)
81 family of commands on some systems.
82 · inndstart does as little as possible as root, dropping privileges
84 before performing any operations that do not require elevated privi‐
85 leges.
86 This program therefore gives the news user the ability to revoke system
88 file descriptor limits and bind to the news port, and nothing else.
89
91 inndstart may log the following messages to syslog and print them to
92 stderr.
93 can't bind: %s
95 (Fatal) Unable to bind to the designated port. This usually means
96 that something else is already running on the news port. Check
97 with netstat(8) and make sure that inetd(8) doesn't think it's run‐
98 ning a service on the same port you're trying to run innd on.
99 can't bind to restricted port %d
101 (Fatal) inndstart was told to bind to a low numbered port (under
102 1024) other than 119, 433, or a port number given at configure
103 time. This is not allowed for security reasons. If you're running
104 innd on a port other than 119 or 433, you need to give the
105 --with-innd-port flag to "configure" when you compile INN.
106 can't exec %s: %s
108 (Fatal) inndstart was unable to execute innd. Make sure that path‐
109 bin is set correctly in inn.conf and that innd is located in that
110 directory and is executable by the news user.
111 can't getgrnam(%s)
113 (Fatal) Unable to determine the GID for the compiled-in news group.
114 Perhaps the news group is not listed in /etc/group.
115 can't getpwnam(%s)
117 (Fatal) Unable to determine the UID for the compiled-in news user.
118 Perhaps the news user is not listed in /etc/passwd.
119 can't open socket: %s
121 (Fatal) Something went wrong in creating the network socket.
122 Chances are your system is out of resources of some kind.
123 can't set file descriptor limit to %d: %s
125 (Warning) Unable to set the system file descriptor limit to the
126 specified value; the limit was left unchanged. Perhaps that value
127 is too high for your system. Try changing rlimitnofile in inn.conf
128 to a smaller value.
129 can't set SO_REUSEADDR: %s
131 (Warning) inndstart attempts to set SO_REUSEADDR using setsock‐
132 opt(2) so that if innd exits, it can be restarted again immediately
133 without waiting for the port to time out. For some reason, this
134 failed, and that option was not set on the port.
135 can't seteuid to %d: %s
137 (Fatal) Unable to change the effective UID. If inndstart has the
138 correct permissions (setuid root) and seteuid to root (UID 0) is
139 failing, this may mean that your system has seteuid(2) but doesn't
140 have support for POSIX saved UIDs. If this is the case, please
141 report this to the INN maintainers.
142 can't setgid to %d: %s
144 (Fatal) Dropping privileges to the news group failed for some rea‐
145 son.
146 can't setgroups (is inndstart setuid root?): %s
148 (Warning) Dropping all supplemental groups except the news group
149 failed for some reason, and the process group membership was left
150 unchanged. This almost always indicates that inndstart isn't
151 setuid root as it has to be to do what it does. Make sure that
152 inndstart is setuid root, owned by group news, and mode 4710.
153 can't setuid to %d: %s
155 (Fatal) Dropping privileges to the news user failed for some rea‐
156 son.
157 invalid address %s
159 (Fatal) -I was specified on the command line, but the argument
160 wasn't a valid address. Addresses must be given as numeric IP
161 addresses.
162 invalid bindaddress in inn.conf (%s)
164 (Fatal) The bindaddress specified in inn.conf could not be con‐
165 verted to an IP address. See inn.conf(5) for more information
166 about valid values.
167 invalid port %s (must be a number)
169 (Fatal) -P was specified on the command line, but the argument
170 wasn't a valid port. Ports must be port numbers; service names are
171 not allowed.
172 missing address after -I
174 (Fatal) -I was given on the command line, but no address was given
175 after the option.
176 missing port after -P
178 (Fatal) -P was given on the command line, but no port was given
179 after the option.
180 must be run by user %s (%d), not %d
182 (Fatal) Someone other than the news user attempted to run innd‐
183 start. inndstart may only be run by the news user for security
184 reasons.
185
187 Normally, inndstart is never run directly. However, a simple way to
188 just restart innd (if it is not running) without running any other aux‐
189 illiary programs or performing any of the other checks done by
190 rc.news(8) is to just run:
191 inndstart
193 as the news user.
195 To start innd on port 433, passing it the "-c21" option, use:
197 inndstart -P433 -c21
199
201 One environment variable affects the operation of inndstart itself:
202 INNCONF The full path to the inn.conf(5) file to read, rather than the
204 default. This can be used to run multiple copies of INN on the
205 same machine with different settings.
206 When executing innd, inndstart cleans out the entire environmnent and
208 sets only the following variables:
209 BIND_INADDR
211 Passed verbatim from inndstart's environment. This is used by
212 various programs to override the bindaddress parameter in
213 inn.conf and therefore must be in innd's environment for pro‐
214 grams like innfeed(8).
215 HOME Set to pathnews from inn.conf.
217 LOGNAME Set to the news master, as determined at configure time.
219 PATH Set to pathbin from inn.conf, pathetc from inn.conf, and then
221 /bin, /usr/bin, and /usr/ucb in that order.
222 SHELL Set to the path to the system Bourne shell as determined by
224 configure (probably /bin/sh).
225 TMPDIR Set to pathtmp from inn.conf.
227 TZ Passed verbatim from inndstart's environment.
229 USER Set to the news master, as determined at configure time.
231
233 inn.conf
234 Read for pathnews, pathbin, pathtmp, rlimitnofile, bindaddress, and
235 port.
236 pathbin/innd
238 The binary that is executed as innd and passed the open network
239 socket.
240
242 Written by Russ Allbery <rra@stanford.edu> for InterNetNews.
243 $Id: inndstart.8 5912 2002-12-03 05:31:11Z vinocur $
245
247 inn.conf(5), innd(8)
248INN 2.4.0 2002-12-03 INNDSTART(8)