standalone-nnrpd "dies" when hitting ressource limits

Bill Davidsen davidsen at tmr.com
Wed Jul 12 14:17:45 UTC 2000


On 11 Jul 2000, Russ Allbery wrote:

> Sven Paulus <sven at tin.org> writes:
> 
> > Another idea: Why are we running nnrpd as user "news"? The only cause I
> > can think of is to spool articles which couldn't be transmitted to
> > innd. If we add (optionally) another user we could seperate DoS problems
> > like the one mentioned (some users opening some hundred connections to
> > nnrpd).
> 
> That's not at all a bad idea.  And if the other user were in group news,
> it could still have access to the local posting socket and the like, and
> one could even just make /news/incoming group-writeable (which I don't
> believe opens any additional security problems).

  What does this buy us? I can identify nnrpd from innd without having a
new userid to manage, and if you get hundreds of connections I fail to see
why they would hurt less from another user.

  If you don't want innd and nnrpd to interract you run nnrpd as a daemon
and put innd incoming on port 433, possibly on another NIC entirely.

  I may be having a stupid attack, but I fail to see any advantage to
running nnrpd as another user, and for those who do run nnrpd from innd,
as I suspect many small sites do, you then are likely to open more holes
doing the setuid() right than you ever close by having another user.

  Note: the new Linux kernel (iptables stack) allows control over packet
rate from a given IP, so I can limit socket opening rates if I want.

-- 
bill davidsen <davidsen at tmr.com>
  CTO, TMR Associates, Inc
Doing interesting things with little computers since 1979.




More information about the inn-workers mailing list