rc.news: checking whether we run as the news user

Russ Allbery eagle at eyrie.org
Wed Sep 24 22:50:46 UTC 2014


Noel Butler <noel.butler at ausics.net> writes:

> Being a privileged port it needs somewhere root to open that port, any
> starting of any privileged service should be run a root but change to
> effective user after starting, its how every other heavily used common
> daemon out there works - think httpd, postfix, sendmail, dovecot,
> <opposition software>, the list goes on.

But it's a poor way to do it from a security perspective, and INN does it
a better way that doesn't require starting the entire complex binary as
root and hoping there are no bugs before you drop permissions.  The reason
why not many other software packages do what INN does is because it's
tricky and requires two completely separate implementations, one for
System V hosts and one for BSD hosts, but it does work, and it reduces the
footprint of code running as root by quite a lot.

For most users, rc.news is an internal implementation detail, and the init
script that's shipped with the distribution packages (or the init script
that comes with INN) does the right thing, so they don't have to think
about this particular detail.

I would say that we should just drop permissions in rc.news itself, but
that's irritating to do in a complex shell script since you basically have
to wrap every operation in a call to su.  In the long run, replacing
rc.news with good systemd / OpenRC / launchd / upstart / etc.
configurations would be the best approach, if a fair bit of work.  Most of
what rc.news does is start various daemons the hard way or kick off
various one-time cleanup jobs, which is now handled much better by modern
init systems.

-- 
Russ Allbery (eagle at eyrie.org)              <http://www.eyrie.org/~eagle/>

    Please send questions to the list rather than mailing me directly.
     <http://www.eyrie.org/~eagle/faqs/questions.html> explains why.


More information about the inn-workers mailing list