INN commit: trunk/doc/pod (news.pod)

Julien ÉLIE julien at trigofacile.com
Sun Nov 16 19:08:09 UTC 2008


Hi Russ and Ray,

>> +By default, innbind(8) refuses to bind to any port under 1024 other
>> +than 119, 433 and 563 for security reasons.  In order to run B<innd> or
>> +B<nnrpd> on a different port under 1024, you will have to use the
>> +B<--with-innd-port> configure option if there is only one supplementary
>> +port to use.  Otherwise, you can use inetd(8), xinetd(8), or some
>> +equivalent, to achieve your need.
>
> While innbind is new in 2.5, this restriction was previously implemented
> by inndstart, so I don't think it's really new.

I have just removed it and fixed the binding of nnrpd.


> I haven't looked, but I suspect that nnrpd is changing users to news too
> soon.  It needs to do the network socket bind first and then drop
> permissions.  This is a bug in nnrpd; rather than documenting it, we
> should just fix it (although it may take some restructuring).

The binding was done just after the change of users.
However, I do not understand your remark on revision 7198 (April, 11th 2005):

    Drop all of the ugly user switching and code for handling the -g option
    from nnrpd.  If people need special permissions for ckpasswd -s, they now
    need to set up ckpasswd accordingly, as described in the man page.  nnrpd
    no longer looks at the ownership of pathrun or other strange things and
    just switches to the news user if run as root.  Since it now uses innbind,
    it can do this even in daemon mode before binding to a port.

It seems that the code used to work.  But innbind's behaviour changed afterwards?
I just ask to be sure I have not broken something inadvertently with my change.

-- 
Julien ÉLIE

« Vinum nouum, amicus nouus : uesterascet, et cum suauitate bibes illud. »




More information about the inn-workers mailing list