stealth@caen.engin.umich.edu (Mike Pelletier) (09/08/90)
Just installed nntp 1.5.10, and ran into the following problem:
When I give the server the "post" command, it responds well,
and accepts the article well, however, immediately after the period
is entered ending the article, it replies with:
setgroups: not owner
But curiously enough, it later responds with the successful posting
response, and the article does indeed make it into the spooling directories
and database.
My nntpd is running perms 4711, so it creates incoming batches owned by
news. This arrangement worked without problems using 1.5.8, if this is
the culprit. What's really puzzling me is that none of the C-news or
NNTP source files have any mention of "setgroups" in them.
Any ideas? Thanks...
--
Michael V. Pelletier | "We live our lives with our hands on the
CAEN UseNet News Administrator | rear-view mirror, striving to get a better
Systems Group Programmer | view of the road behind us. Imagine what's
| possible if we look ahead and steer..."
sob@tmc.edu (Stan Barber) (09/08/90)
setgroups is in spawn.c and batch.c in the server directory of the distribution. nntpd expects to run as root. If you spawn it as someone other than root, you can expect to see this message. Other changes were made to NNTP to deal with various security concerns, so it can run as root and not so nasty things. -- Stan internet: sob@bcm.tmc.edu Director, Networking Olan uucp: {rutgers,mailrus}!bcm!sob and Systems Support Barber Opinions expressed are only mine. Baylor College of Medicine
tale@turing.cs.rpi.edu (David C Lawrence) (09/08/90)
In article <1886@gazette.bcm.tmc.edu> sob@tmc.edu (Stan Barber) writes:
setgroups is in spawn.c and batch.c in the server directory of the
distribution. nntpd expects to run as root. If you spawn it as
someone other than root, you can expect to see this message.
Other changes were made to NNTP to deal with various security concerns,
so it can run as root and not so nasty things.
Please elaborate on what features of NNTP require it to be run as
root. I do not run nntpd as roo, do not want to run it as root
and consider (just initial impressions without any facts to back it up)
that making it need to be run that way is a step in the wrong direction.
--
(setq mail '("tale@cs.rpi.edu" "tale@ai.mit.edu" "tale@rpitsmts.bitnet"))
I'm worried about the baggage retrieval system they've got at Heathrow.
tale@turing.cs.rpi.edu (David C Lawrence) (09/08/90)
In article <1886@gazette.bcm.tmc.edu> sob@tmc.edu (Stan Barber) writes:
setgroups is in spawn.c and batch.c in the server directory of the
distribution. nntpd expects to run as root. If you spawn it as
someone other than root, you can expect to see this message.
Other changes were made to NNTP to deal with various security concerns,
so it can run as root and not so nasty things.
Please elaborate on what features of NNTP require it to be run as
root. I do not run nntpd as root, do not want to run it as root
and consider (just initial impressions without any facts to back it up)
that making it need to be run that way is a step in the wrong direction.
--
(setq mail '("tale@cs.rpi.edu" "tale@ai.mit.edu" "tale@rpitsmts.bitnet"))
I'm worried about the baggage retrieval system they've got at Heathrow.
lear@turbo.bio.net (Eliot) (09/08/90)
The way the code is written, initgroups is only called if the process is already root. Otherwise it blissfully continues. -- Eliot Lear [lear@turbo.bio.net]
sob@tmc.edu (Stan Barber) (09/08/90)
In article <Sep.7.18.35.26.1990.8866@turbo.bio.net> lear@turbo.bio.net (Eliot) writes: >The way the code is written, initgroups is only called if the process >is already root. Otherwise it blissfully continues. Yep. That's true. My manual pages tell me that this error condition only results if setgroups is called as someone other than the super-user. Perhaps there is a problem with the groups or passwd file. Anyone know? I will dig up my 4.3 source if no one else happens to know other conditions under which a call to setgroups will fail with this error. Also, if you don't run NNTPD as root, it will still work as long as it runs as the NEWSUSER and there are no permissions problems on the news programs and spool directory. Some people have both "news" and "usenet" and you need to be sure that nntp is running as the right one (particularly if you are using FAKESYSLOG). The main things done to deal with security issues can be seen in the spawn.c and batch.c source files. I went to alot of trouble to reset userids, groups (hence the setgroups call) and other similiar efforts before forking other programs. If someone sees a security problem that would prevent NNTP from being run as root, I'd appreciate some mail. Thanks -- Stan internet: sob@bcm.tmc.edu Director, Networking Olan uucp: {rutgers,mailrus}!bcm!sob and Systems Support Barber Opinions expressed are only mine. Baylor College of Medicine
brian@ucsd.Edu (Brian Kantor) (09/08/90)
Depending on how readable your kernel is, you may also need to have nntpd run setgid kmem or whatever if you're using the load limiting code, since it needs to fetch that from the kernel's tables. And if you're using minspace detection, it may need to be root to read the superblock to figure freespace in some kinds of filesystems. All depends on how you have it configured and patched. - Brian