nnrpd with SSL - questions
Vitor Carlos Flausino
vflausino at dti.pga.pt
Mon Oct 20 15:08:45 UTC 2003
Hello!
Can you tell me how is the line in inetd?
Thankx,
-vcf
Russ Allbery wrote:
>Boryan Yotov <yotov at prosyst.com> writes:
>
>
>
>>I'm trying to get nnrpd working with SSL and in the time of this post
>>I've found few issues which are unclear for me:
>>
>>
>
>
>
>>Note: I'm using inn-2.4.0
>>
>>
>
>
>
>>1. Should be nnrpd started as root (in order to bind to port 563) or
>>need to be setuid root and started from the news user. This in case
>>nnrpd is started standalone or invoked using tcpwrapers.
>>
>>
>
>If you want to run nnrpd in daemon mode, you have to start it as root.
>Otherwise, you can use inetd, xinetd, tcpserver, or the like to bind to
>the port and start nnrpd with each incoming connection.
>
>
>
>>2. In the nnrpd man page it written that:
>>
>>
>
>
>
>>>It is normally invoked by innd(8) with those descriptors attached to a
>>>remote client connection.
>>>
>>>
>
>
>
>>I didn't find a way to order innd to listen to port 563. So my question
>>here is: is there a way to select innd to listen to port 563 as well as
>>to 119 in order readers conections to be forwarded then to nnrpd.
>>
>>
>
>No. To get nnrpd to listen on 563, you have to start it from inetd,
>xinetd, or the like or run it in daemon mode. You can't use innd to start
>it.
>
>
>
>>3. I've started nnrpd in daemon mode using the following line as root:
>>
>>
>
>
>
>>#/news/bin/nnrpd -D -b xxx.xxx.xxx.xxx -p 563 -S
>>
>>
>
>
>
>>with SSL certificate and RSA private key located in "/news/lib/cert.pem"
>>owned by "news:news" and with permission set to 0640 as proposed in the
>>"sasl" man page an as performed when "make cert" is issued from root.
>>
>>
>
>make cert has now been fixed in CVS to install the cert mode 0600.
>
>
>
>>While I'm starting nnrpd standalone as root I changed the
>>/news/lib/cert.perm permissions and owner as follows:
>>
>>
>
>
>
>>#chown root:root /news/lib/cert.pem
>>#chmod 0700 /news/lib/cert.pem
>>
>>
>
>
>
>>This time no "bad ownership or permissions on private key"
>>error was logged but instead:
>>
>>
>
>I wonder if this would work better if you made it mode 0600.
>
>
>
>>For me it looks that the reason for my problem is that I've started
>>nnrpd with root UID. Do I need to start it setuid root with the news
>>UID? Or is there a defined way how this need to be performed? 10x in
>>advance :)
>>
>>
>
>nnrpd should switch to the news user if you start it as root.
>
>
>
More information about the inn-workers
mailing list