INN under NetBSD

Russ Allbery rra at stanford.edu
Thu Jun 3 23:59:29 UTC 2004


Matthias Scheler <tron at NetBSD.org> writes:

> Of NetBSD? None, just list "NetBSD". My first INN installation was 1.5.2
> on a NetBSD 1.1 system, my current news server runs 2.4.1 under NetBSD
> 1.6.2.  And I've tested the INN 2.4.1 package on a 2.0 system, too. It
> just works.

Okay.

> My opinion is that the code which #ifdef-ed out is bad code. Why isn't
> it enough that the euid is the news user?

The intention was to drop any other privileges that rnews may
inadvertantly have from its previous ID, but now that I look at this, this
doesn't work anywhere else either (it just fails silently elsewhere).
You're right, there's no particular need to change the real UID.

I've patched this up in CVS (and added code to switch to the news user if
the real or effective UID is root, just to keep from writing batch files
as root).

> BTW: why has "rnews" to be setuid "news" at all? Shouldn't access to
>      the Unix domain socket be enough do its job?

Having access to the Unix domain socket is sufficient; that's what this
allows for.

Note that rnews is only installed setuid news if INN is specifically built
with --enable-uucp-rnews.  This is intentionally not the default, since
most sites won't need it.  For sites that do, the issue is that the UUCP
subsystem is running as user/group uucp/uucp, which doesn't have access to
the Unix domain socket.  rnews could just be installed setgid news, but
then the problem is that it would have to either be owned by the UUCP user
(which may not be uucp or may not be present) or world-executable, both of
which aren't always what people want.

Making it setuid news, group uucp, and only group executable keeps the
access rights down while accomplishing the intended goal.

> From the manual page of setuid(2):

>      The setuid() function sets the real and effective user IDs and the
>      saved set-user-ID of the current process to the specified value.
>      The setuid() function is permitted if the specified ID is equal to
>      the real user ID of the process, or if the effective user ID is
>      that of the super user.

Right, this makes sense now.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>


More information about the inn-bugs mailing list