nnrpd with SSL - questions

Russ Allbery rra at stanford.edu
Sat Oct 18 21:29:21 UTC 2003 

Boryan Yotov <yotov at prosyst.com> writes:

> I'm trying to get nnrpd working with SSL and in the time of this post
> I've found few issues which are unclear for me:

> Note: I'm using inn-2.4.0

> 1. Should be nnrpd started as root (in order to bind to port 563) or
> need to be setuid root and started from the news user. This in case
> nnrpd is started standalone or invoked using tcpwrapers.

If you want to run nnrpd in daemon mode, you have to start it as root.
Otherwise, you can use inetd, xinetd, tcpserver, or the like to bind to
the port and start nnrpd with each incoming connection.

> 2. In the nnrpd man page it written that:

>> It is normally invoked by innd(8) with those descriptors attached to a
>> remote client connection.

> I didn't find a way to order innd to listen to port 563. So my question
> here is: is there a way to select innd to listen to port 563 as well as
> to 119 in order readers conections to be forwarded then to nnrpd.

No.  To get nnrpd to listen on 563, you have to start it from inetd,
xinetd, or the like or run it in daemon mode.  You can't use innd to start
it.

> 3. I've started nnrpd in daemon mode using the following line as root:

> #/news/bin/nnrpd -D -b xxx.xxx.xxx.xxx -p 563 -S

> with SSL certificate and RSA private key located in "/news/lib/cert.pem"
> owned by "news:news" and with permission set to 0640 as proposed in the
> "sasl" man page an as performed when "make cert" is issued from root.

make cert has now been fixed in CVS to install the cert mode 0600.

> While I'm starting nnrpd standalone as root I changed the
> /news/lib/cert.perm permissions and owner as follows:

> #chown root:root /news/lib/cert.pem
> #chmod 0700 /news/lib/cert.pem

> This time no "bad ownership or permissions on private key"
> error was logged but instead:

I wonder if this would work better if you made it mode 0600.

> For me it looks that the reason for my problem is that I've started
> nnrpd with root UID. Do I need to start it setuid root with the news
> UID? Or is there a defined way how this need to be performed? 10x in
> advance :)

nnrpd should switch to the news user if you start it as root.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>

    Please send questions to the list rather than mailing me directly.
     <http://www.eyrie.org/~eagle/faqs/questions.html> explains why.

More information about the inn-workers mailing list