innd (not) running as root and other changes and cleanup
rra at stanford.edu
Thu Dec 21 05:14:02 UTC 2000
For a long time now, we've been telling people to be sure to start innd
with inndstart, and while it's possible to run innd directly as the news
user if using an unprivileged port, starting innd as root ends up leaving
various things owned by root instead of news. It's also just a really bad
idea for various security-related reasons (at the least, with the default
installation, it gives news the ability to get root).
There was, however, some cruft in innd designed to try to handle being run
as root that's undergone a lot of bitrot, the AmRoot global variable and
the calls to xchown in particular. innd also figured out what UID and GID
to run as by stating innconf->pathrun and using its ownership, which has
caused a lot of odd problems and is rather unintuitive.
In the process of reworking innd.c and trying to clean it up, I went ahead
and tackled this. With the changes that I just checked in (which we can
always revert partially or fully if there's a problem; they've been
pending for long enough that I wanted to get them in so that people could
take a look at them), innd just flatly refuses to run as root, printing
out a hopefully useful error message and also logging it. If run with any
UID other than root, it just uses its UID and GID it's running as.
This should let people with odd multiple server configurations still run
multiple copies of innd without using inndstart, or start innd without
inndstart if they want for some reason if it's using an unprivileged port,
while avoiding some of the problems that we ran into before.
Anyway, in addition to that, I also took out some old centerline debugging
stuff that required global variables (I think most debugging and analysis
packages these days can do similar things without needing as much cruft,
plus I don't think anyone's using that any more -- let me know if I'm
wrong), removed the DO_FAST_RESOLV stuff which just set options to tell
the resolver library not to pay attention to the domain/search parameters
in resolv.conf, which was off by default and not enough of an advantage
given how few lookups innd does to bother with, and moved a whole bunch of
utility functions from innd.c to a new util.c.
I also added the linkage for the new error handling functions to innd's
main, so innd components can start using warn and die. (I'll send a
separate message asking about some details of innd's logging policy that
are odd and inconsistently enforced.)
It's a bunch of changes that shouldn't be user-noticeable for any standard
configuration, but it's still a bunch of changes. Let me know if you hit
any problems, compile errors, or anything.
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the inn-workers