standalone-nnrpd "dies" when hitting ressource limits

[Russ Allbery]

Bill Davidsen <davidsen at tmr.com> writes:

> I may be having a stupid attack, but I fail to see any advantage to
> running nnrpd as another user, and for those who do run nnrpd from innd,
> as I suspect many small sites do, you then are likely to open more holes
> doing the setuid() right than you ever close by having another user.

I wouldn't have innd do it.

The idea is to have it be an *option* to run nnrpd as a different user
provided that you're running nnrpd from outside innd (such as via
tcpserver, which is the way that I intend to run it on my new reader box).

Major gain:  A compromise in nnrpd won't compromise either the news user
or root since the user nnrpd runs as won't have write access to anything
other than the incoming spool, and won't be able to run inndstart or
startinnfeed.

It's a similar philosophy to the way that a lot of djb's software works
(c.f. qmail and tinydns); partitioning the work into a bunch of separate
users buys you defense in depth against any compromises, since a
compromise in one part of the system then doesn't automatically compromise
the whole thing.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>