inndstart(8) InterNetNews Documentation inndstart(8)
inndstart - Start innd
inndstart [-P port] [-I address] [innd-options]
The purpose of inndstart is to raise system file descriptor limits, open the privileged
news transfer port, and then start innd(8), passing it the open file descriptor for the
news port. inndstart is used since only privileged programs can perform those two opera-
tions and since innd should not run privileged. It is installed setuid root and drops
privileges to the news user (set at configure time) before running innd.
Normally there is no need to run inndstart directly. Instead, run rc.news(8) as the news
user, and it will handle running inndstart appropriately for you.
Since inndstart is setuid root, it is extremely restrictive about who can run it and what
it is willing to do. See the section on "SECURITY" for the full details.
inndstart can only be run by the news user; if run by any other user, it will abort. It
will also only bind to ports 119, 433, or a port number given at configure time with
--with-innd-port among those ports below 1024, although it can bind to any port above
1024. This is to prevent various security exploits possible by binding to arbitrary priv-
Before running innd, inndstart cleans out the environment and sets only those environment
variables listed in the section on "ENVIRONMENT".
Bind to port instead of whatever is specified by port in inn.conf(5). Note that this
is subject to the constraints mentioned above.
Bind as address instead of whatever is specified by bindaddress in inn.conf(5). The
default behavior is to bind to INADDR_ANY, and that's what's desired almost all the
time. This option, and the inn.conf(5) parameter, may be useful if the machine has
multiple interface cards and innd should only be listening on a particular one.
All other options given on the command line are passed verbatim to innd. In addition,
inndstart will give the -p option to innd, specifying the file descriptor of the open net-
inndstart is setuid root, and therefore an expected point of attack. It has therefore
been carefully written with security in mind. In a normal INN installation, it is
installed setuid root and executable only by users in the news group.
Ideally, everything about inndstart's operations would be hard-coded so that it could not
be modified. Fighting against this desire, however, is the ideal that as much of INN's
operation as possible should be configurable at run-time using inn.conf(5), and the news
system should be able to an alternate inn.conf by setting INNCONF to the path to that file
before starting any programs. The configuration data therefore can't be trusted.
The security model used is:
o inndstart can only be executed by the news user and news group, as determined at config-
ure time and compiled into inndstart as constants. Similarly, inndstart will always
setuid() and setgid() to those users before running innd. This is to prevent a user
other than news but in the news group from using inndstart to leverage that access into
access to the news account.
o As mentioned above, inndstart will only bind to a very limited set of ports below 1024.
There are various attacks that can be performed using random low-numbered ports, includ-
ing exploits of the rsh family of commands on some systems.
o inndstart does as little as possible as root, dropping privileges before performing any
operations that do not require elevated privileges.
This program therefore gives the news user the ability to revoke system file descriptor
limits and bind to the news port, and nothing else.
inndstart may log the following messages to syslog (like the rest of INN, syslog is the
best place to find detailed debugging information):
can't bind: %s
(Fatal) Unable to bind to the designated port. This usually means that something else
is already running on the news port. Check with netstat(8) and make sure that
inetd(8) doesn't think it's running a service on the same port you're trying to run
can't exec %s: %s
(Fatal) inndstart was unable to execute innd. Make sure that pathbin is set correctly
in inn.conf and that innd is located in that directory and is executable by the news
(Warning) Unable to obtain the current system resource limit on file descriptors.
Chances are something is wrong with the *rlimit() functions. The file descriptor
limit was left unchanged from the system default.
can't open socket: %s
(Fatal) Something went wrong in creating the network socket. Chances are your system
is out of resources of some kind.
can't setgid(%d): %s
(Fatal) Dropping privileges to the news group failed for some reason.
can't setgroups: %s
(Warning) Dropping all supplemental groups except the news group failed for some rea-
son, and the process group membership was left unchanged. This message may indicate a
minor security hole if the news user is in extra groups.
can't setrlimit(NOFILE, %d)
(Warning) Unable to set the system file descriptor limit to the specified value.
Either that value is too high for your system or something else went wrong. The file
descriptor limit was left unchanged. Try changing rlimitnofile in inn.conf to a
can't setsockopt: %s
(Warning) inndstart attempts to set SO_REUSEADDR so that if innd exits, it can be
restarted again immediately without waiting for the port to time out. For some rea-
son, this failed, and that option was not set on the port.
can't setuid(%d): %s
(Fatal) Dropping privileges to the news user failed for some reason.
can't stat pathrun (%s): %s
(Fatal) pathrun as specified in inn.conf doesn't exist.
(Fatal) Unable to determine the GID for the compiled-in news group. Is the news group
listed in /etc/group?
(Fatal) Unable to determine the UID for the compiled-in news user. Is the news user
listed in /etc/passwd?
invalid address %s
(Fatal) -I was specified on the command line, but the argument wasn't a valid address.
Addresses must be given as numeric IP addresses.
invalid bindaddress in inn.conf (%s)
(Fatal) The bindaddress specified in inn.conf could not be converted to an IP address.
See inn.conf(5) for more information about valid values.
invalid port %s
(Fatal) -P was specified on the command line, but the argument wasn't a valid port.
Ports must be port numbers; service names are not allowed.
missing address after -I
(Fatal) -I was given on the command line, but no address was given after the option.
missing port after -P
(Fatal) -P was given on the command line, but no port was given after the option.
pathrun (%s) not a directory
(Fatal) pathrun as specified in inn.conf isn't a directory. This is where innd will
create its local control socket; it should always be a directory.
pathrun (%s) owned by group %d, not %s (%d)
(Fatal) pathrun specified in inn.conf must be owned by the news group. This is
checked for security reasons.
pathrun (%s) owned by user %d, not %s (%d)
(Fatal) pathrun specified in inn.conf must be owned by the news user. This is checked
for security reasons.
ran by GID %d, who isn't %s (%d)
(Fatal) Someone not in the news group attempted to run inndstart. If you were running
inndstart as the news user, make sure that the news user's default group is the news
group you picked at compile time (`news' by default).
ran by UID %d, who isn't %s (%d)
(Fatal) Someone other than the news user attempted to run inndstart. inndstart may
only be run by the news user for security reasons.
seteuid(%d) failed: %s
(Fatal) Unable to change the effective UID. This usually means that inndstart was
installed with the wrong permissions. If it does have the correct permissions (setuid
root) and seteuid() to root (UID 0) is failing, this may mean that your system has
seteuid() but doesn't have support for POSIX saved UIDs. If this is the case, please
report this to the INN maintainers.
setreuid(%d, %d) failed: %s
(Fatal) Unable to change the real and effective UIDs. This message usually means that
inndstart was installed with the wrong permissions.
tried to bind to port %d
(Fatal) inndstart was told to bind to a low numbered port (under 1024) other than 119,
433, or a port number given at configure time. This is not allowed for security rea-
Normally, inndstart is never run directly. However, a simple way to just restart innd
without running any other auxilliary programs or performing any of the other checks done
by rc.news(8) is to just run:
as the news user.
To start innd on port 433, passing it the `-c21' option, use:
inndstart -P433 -c21
One environment variable affects the operation of inndstart itself:
INNCONF The full path to the inn.conf(5) file to read, rather than the default. This can
be used to run multiple copies of INN on the same machine with different settings.
When executing innd, inndstart cleans out the entire environmnent and sets only the fol-
Passed verbatim from inndstart's environment. This is apparently used on Linux.
HOME Set to pathnews from inn.conf.
LOGNAME Set to the news master, as determined at configure time.
PATH Set to pathbin from inn.conf, pathetc from inn.conf, and then /bin, /usr/bin, and
/usr/ucb in that order.
SHELL Set to the path to the system Bourne shell as determined by configure (probably
TMPDIR Set to pathtmp from inn.conf.
TZ Passed verbatim from inndstart's environment.
USER Set to the news master, as determined at configure time.
Read for pathnews, pathbin, pathrun, pathtmp, rlimitnofile, bindaddress, and port.
The binary that is executed as innd and passed the open network socket.
Checked for existence and the right ownership.
Written by Russ Allbery <firstname.lastname@example.org> for InterNetNews.
$Id: inndstart.8,v 1.2 1999/10/23 16:25:47 rra Exp $
3rd Berkeley Distribution INN 2.3 inndstart(8)