INN commit: trunk/doc/pod (news.pod)

Ray Banana rayban at banana.shacknet.nu
Mon Oct 27 05:57:04 UTC 2008


Russ Allbery wrote:

> Re-adding the mailing list -- hope you don't mind.

Sorry, my bad, just used "Reply" ...

>>> While innbind is new in 2.5, this restriction was previously implemented
>>> by inndstart, so I don't think it's really new.
>> I think it is new as far as *nnrpd* is concerned.
> 
> nnrpd didn't use inndstart and hence had to be run as root in order to
> bind to any port at all below 1024 prior to 2.5, so there shouldn't be any
> new restriction in 2.5, just a new capability.  If the process is running
> as root already, innbind isn't used.  Hm, although I haven't checked; if
> nnrpd drops privileges before binding, there may be a bug here.  It needs
> to bind before changing users.
> 
>> I used to compile INN --with-innd-port=433 in order to have innd use
>> that port rather than 119 and run multiple nnrpd daemons on ports like
>> 80, 443 etc. With INN 2.5 this does not work any more.
> 
> What specifically doesn't work?  In other words, what exactly do you run
> and what error messages do you get?
> This is supposed to work fine as long as you start nnrpd as root (which
> would have been required for INN 2.4 as well).

I used to start nnrpd in daemon mode from an init script as root. In INN
2.4 nnrpd will  start using any privileged port I specify and spawn new
nnrpd processes as the news user.

With INN 2.5 however, even if I start nnrpd as root, it will refuse to
bind to any other port than 119 and the one specified in --with-innd-port=

innbind: cannot bind to restricted port 443 in 4,2,85.214.90.236,443

This seems to be hard-coded in


 Line 182 of backends/innbind.c:

   /* Make sure that we're allowed to bind to that port. */
   if (port < 1024 && port != 119 && port != 433 && port != 563
           && port != INND_PORT)
       die("cannot bind to restricted port %hu in %s", port, spec);



More information about the inn-workers mailing list