INN commit: trunk/doc/pod (news.pod)
Ray Banana
rayban at banana.shacknet.nu
Mon Oct 27 05:57:04 UTC 2008
Russ Allbery wrote:
> Re-adding the mailing list -- hope you don't mind.
Sorry, my bad, just used "Reply" ...
>>> While innbind is new in 2.5, this restriction was previously implemented
>>> by inndstart, so I don't think it's really new.
>> I think it is new as far as *nnrpd* is concerned.
>
> nnrpd didn't use inndstart and hence had to be run as root in order to
> bind to any port at all below 1024 prior to 2.5, so there shouldn't be any
> new restriction in 2.5, just a new capability. If the process is running
> as root already, innbind isn't used. Hm, although I haven't checked; if
> nnrpd drops privileges before binding, there may be a bug here. It needs
> to bind before changing users.
>
>> I used to compile INN --with-innd-port=433 in order to have innd use
>> that port rather than 119 and run multiple nnrpd daemons on ports like
>> 80, 443 etc. With INN 2.5 this does not work any more.
>
> What specifically doesn't work? In other words, what exactly do you run
> and what error messages do you get?
> This is supposed to work fine as long as you start nnrpd as root (which
> would have been required for INN 2.4 as well).
I used to start nnrpd in daemon mode from an init script as root. In INN
2.4 nnrpd will start using any privileged port I specify and spawn new
nnrpd processes as the news user.
With INN 2.5 however, even if I start nnrpd as root, it will refuse to
bind to any other port than 119 and the one specified in --with-innd-port=
innbind: cannot bind to restricted port 443 in 4,2,85.214.90.236,443
This seems to be hard-coded in
Line 182 of backends/innbind.c:
/* Make sure that we're allowed to bind to that port. */
if (port < 1024 && port != 119 && port != 433 && port != 563
&& port != INND_PORT)
die("cannot bind to restricted port %hu in %s", port, spec);
More information about the inn-workers
mailing list