roy@alanine.phri.nyu.edu (Roy Smith) (07/11/90)
We run nntp 1.5.7 and C-news (most recent patch, 14-Sep-1989) on a
Vax-11/750 running MtXinu 4.3BSD/NFS. As a temporary measure to gain some
space after being off the net for a week and getting flooded with news when
we got reconnected, I recently mounted /usr/spool/news/in.coming remotely.
What I actually did was to make a temporary file system on wombat (a
Sun-3/180 running SunOS-3.5.2) called /news and mount wombat:/news as
/usr/spool/news/temp, mv in.coming/* to temp, and make a symlink from
in.coming to temp. Got that? :-)
All the 40 or so Mbytes of spooled news waiting in in.coming
eventually got processed. But, when new news would come in via nntp, it
would just fall into a black hole. The occasional article we still get via
uucp would get processed without any trouble. I could see the nntp traffic
on the ethernet using tcpdump or netscope, and could see nntpd running on
the vax when I did ps, but no files would show up in in.coming, no entries
would be made in any of the news or nntp log files or the errlog files.
Eventually I figured out that what was going on was that nntpd was
running as root and root permissions do not extend accross NFS mount
points. One question this brings up is, does nntp really have to run as
root? Could I run nntp as news instead? Another is, why didn't nntp log
any error messages anywhere? /usr/lib/news/nntperrlog would be the obvious
place, but there isn't anything there about getting write failures. There
are some other error messages in nntperrlog about some random badness in my
history file, so I know nntpd was able to write onto nntperrlog.
--
Roy Smith, Public Health Research Institute
455 First Avenue, New York, NY 10016
roy@alanine.phri.nyu.edu -OR- {att,cmcl2,rutgers,hombre}!phri!roy
"Arcane? Did you say arcane? It wouldn't be Unix if it wasn't arcane!"lidl@eng.umd.edu (Kurt J. Lidl) (07/12/90)
In article <1990Jul11.164853.1715@phri.nyu.edu> roy@alanine.phri.nyu.edu (Roy Smith) writes: >[problem description & solution deleted] >One question this brings up is, does nntp really have to run as >root? Could I run nntp as news instead? Another is, why didn't nntp log >any error messages anywhere? /usr/lib/news/nntperrlog would be the obvious >place, but there isn't anything there about getting write failures. There >are some other error messages in nntperrlog about some random badness in my >history file, so I know nntpd was able to write onto nntperrlog. I ran into similar problems a long time ago. I now run my nntpd as news. I'm thoroughly convinced that it is evil to do otherwise. I don't want the news system to be pukeing random files into /, and so forth (it has happened here, folks). The error messages in about random badness in your history file are a bug in nntp. I just tracked this down. For C News, there is a possibility that the history file will have a entry of mess-id (tab) arrival-time-(return) i.e. -- only one tab in the line for an expired message. NNTP thinks that anything that doesn't have two tabs per line in the history file is corrupted... There's a one line fix in the misc.c file of NNTP to make it stop logging these messages. >Roy Smith, Public Health Research Institute -- /* Kurt J. Lidl (lidl@eng.umd.edu) | Unix is the answer, but only if you */ /* UUCP: uunet!eng.umd.edu!lidl | phrase the question very carefully. */
Sm@bhpese.oz.au (Scott Merrilees) (07/12/90)
roy@alanine.phri.nyu.edu (Roy Smith) writes: >... One question this brings up is, does nntp really have to run as >root? Could I run nntp as news instead? The only reason I can see for nntp to need to be root is for the initial bind of the nntp server socket. My nntp binds this socket, then does a setgid(news_group); setuid(news_owner); and then runs happily. I only use nntp to server articles to nntp based news readers, so I can't comment on xfer, link, ihave/sendme etc. This nntp 1.5.8. Sm -- Scott Merrilees, BHP Information Technology, Newcastle, Australia Internet: Sm@bhpese.oz.au Phone: +61 49 402132
nagel@esp.ics.uci.edu (Mark Nagel) (07/12/90)
Sm@bhpese.oz.au (Scott Merrilees) writes: >The only reason I can see for nntp to need to be root is for the initial >bind of the nntp server socket. My nntp binds this socket, then does a >setgid(news_group); setuid(news_owner); and then runs happily. I only use >nntp to server articles to nntp based news readers, so I can't comment on >xfer, link, ihave/sendme etc. This nntp 1.5.8. If you run it out of inetd, you can even avoid this step, however, on some systems (a Sequent Symmetry, for example), you cannot use the low disk space avoidance code unless nntpd is running as root, since it needs to read the master block of the device. I used to run as news before that code was added, now I have to leave it running as root since I find it useful to have that safety net. -- Mark Nagel UC Irvine Department of ICS +----------------------------------------+ ARPA: nagel@ics.uci.edu | The world is coming to an end. | UUCP: ucbvax!ucivax!nagel | Please log off. |
rdc30med@nmrdc1.nmrdc.nnmc.navy.mil (LCDR Michael E. Dobson) (07/18/90)
In article <1990Jul11.164853.1715@phri.nyu.edu> roy@alanine.phri.nyu.edu (Roy Smith) writes: > > Eventually I figured out that what was going on was that nntpd was >running as root and root permissions do not extend accross NFS mount >points. One question this brings up is, does nntp really have to run as >root? Could I run nntp as news instead? Another is, why didn't nntp log I never run any of my TCP/IP deamons as root, they are all bin except for nntpd. I have recently been running that as owner news group bin. So far I haven't noticed any problems. Access history file ok, puts incoming stuff in in.coming. I haven't tried sending to a remotely mounted file system so I can't address the remainder of your questions. -- Mike Dobson, Sys Admin for | Internet: rdc30med@nmrdc1.nmrdc.nnmc.navy.mil nmrdc1.nmrdc.nnmc.navy.mil | UUCP: ...uunet!mimsy!nmrdc1!rdc30med AT&T 3B2/600G Sys V R 3.2.2 | BITNET: dobson@usuhsb.bitnet WIN/TCP for 3B2 | MCI-Mail: 377-2719 or 0003772719@mcimail.com
per@erix.ericsson.se (Per Hedeland) (07/18/90)
In article <269C9E02.1535@ics.uci.edu>, nagel@esp.ics.uci.edu (Mark Nagel) writes: |> If you run it out of inetd, you can even avoid this step, however, |> on some systems (a Sequent Symmetry, for example), you cannot use |> the low disk space avoidance code unless nntpd is running as root, |> since it needs to read the master block of the device. A better solution is to have the disk devices readable by a group (e.g. 'operator') - this is the default setup on e.g. BSD and SunOS - and nntpd setgid to this group. --Per Hedeland per@erix.ericsson.se or per%erix.ericsson.se@uunet.uu.net or ...uunet!erix.ericsson.se!per