rc.news: checking whether we run as the news user

Julien ÉLIE julien at trigofacile.com
Thu Sep 25 21:01:03 UTC 2014

Hi Noel,

>> I suggest to check whether rc.news is run as another user ID than
>> the "news" user (in all cases, be it start or stop).
> That's going backwards...
> Being a privileged port it needs somewhere root to open that port, any 
> starting of any privileged service should be run a root but change to 
> effective user after starting, its how every other heavily used common 
> daemon out there works - think httpd, postfix, sendmail, dovecot, 
> <opposition software>, the list goes on.

In complement to Russ' answer, I would add that the binding is done thanks to a setuid root program named innbind.  It permits innd and nnrpd to bind to ports under 1024.  Quoting its documentation, "the only functions that it's willing to perform are to bind an open file descriptor to a given address and port or to create a new socket, bind it, and return the bound socket to its caller.  It can only be run as the news user (as specified at configure time), and will only bind to ports 119, 433, 563, an additional port specified with the --with-innd-port argument to configure, or ports numbered 1024 or higher."

That's why the rc.news script does not need being run as the root user.

> Secondly, given most daemons on servers are started from startup 
> scripts, it makes more sense to do it this way, the fact inn doesn't has 
> amazed me for some time.

INN of course is started via a startup script.  I have been using on my Debian an init.d/inn2 script for years, consisting of:

start () {
    su news -c /home/news/bin/rc.news >> /var/log/news/rc.news 2>&1
    su news -c '/home/news/bin/nnrpd -D -c /home/news/etc/readers-ssl.conf -p 563 -S' >> /var/log/news/rc.news 2>&1

stop () {
    start-stop-daemon --stop --name nnrpd --quiet --oknodo --chuid news:news \
      >> /var/log/news/rc.news 2>&1
    su news -c '/home/news/bin/rc.news stop' >> /var/log/news/rc.news 2>&1

case "$1" in
        echo -n "Starting news server: "
        echo "done."
        echo -n "Stopping news server: "
        echo "done."
        echo -n "Reloading most INN configuration files: "
        /home/news/bin/ctlinnd -t 20 reload '' 'init script'
        echo -n "Restarting innd: "
        if [ -f /var/run/news/innd.pid ]; then
            /home/news/bin/ctlinnd -t 20 throttle 'init script' > /dev/null || true
            /home/news/bin/ctlinnd -t 20 xexec innd > /dev/null || start
        echo "done."
        echo "Usage: /etc/init.d/inn2 start|stop|restart|reload" >&2
        exit 1

That's it.
As Russ says, rc.news is an internal program shipped with INN, called by the startup script.

As you mention httpd earlier in your mail, I wish to recall that my Debian init.d/apache2 startup script has 286 lines and do lots of control.  It then calls apache2ctl, which is a shell script (equivalent to rc.news) of 180 lines.
apache2ctl finally starts the apache2 binary (httpd), the same way rc.news finally starts the innd binary.

How INN is started then shouldn't amaze you, as it is not that unusual!

> I did not comment 
> on that other previous thread, but that OP made some very good points 
> about modernising inn to be friendlier, but sadly seems rather than 
> consider it, it was instantly discarded as too hard basket

Well I'm sorry to have led to that impression.
I understand the point made and tried to give a few pointers to help him manage to achieve his goal of limiting concurrent users.  Unfortunately, it was not enough owing to performance issues.  I couldn't give more, and I do not currently have enough time (and also probably experience) to code what he would have like to see in INN.

Julien ÉLIE

« Pour Rome, la direction importe peu, car tous les chemins y
  mènent. » (Astérix)

More information about the inn-workers mailing list