public inbox for nncp-devel@lists.cypherpunks.ru
Atom feed
From: John Goerzen <jgoerzen@complete•org>
To: nncp-devel@lists.cypherpunks.ru
Subject: Setup on unprivileged accounts
Date: Tue, 03 Aug 2021 23:08:04 -0500 [thread overview]
Message-ID: <87lf5hx36j.fsf@complete.org> (raw)
Hi,
I'm hoping to offer NNCP for people on some public-access Unix
systems (SDF and tilde.team at least). These systems generally:
- do not offer root access
- may not permit incoming ports or daemon processes
- don't give me control over sudo
- do give me cron access
My initial scheme, used elsewhere, of calling to "|sudo ...
nncp-daemon -inetd" won't work here. I'm thinking of
alternatives.
The manual talks about a multiuser spool directory. It seems to
envision it for several users on the system sharing a single NNCP
node (they would all send/receive from the same node). Not quite
what I'm after, but maybe close.
Some brainstorms I've had:
1) nncp-daemon could be setuid to me and people could just call to
"|nncp-daemon -inetd". However, I dislike this for security
reasons; since it has a -cfg parameter, this could lead to some
unpleasant effects in the hands of a malicious person and I don't
think I want to go down this path.
2) Perhaps I could lock down the setuid nncp-daemon and have a
wrapper that forces command-line options to a certain set. It
sure has some elegance to it, as it avoids cron entirely (at least
for exchange; may still need it for tossing), but still makes me
nervous.
3) The spool directory for each local peer could be chowned to
that account, with its sticky bit set. That would at least let
that person get and receive packets. But that opens the question
- how? Maybe the local peers would need to cron a nncp-xfer
command that has a different cfg set to pull the files out, and
another one to pull them in?
4) Perhaps a variant on #3, I could have a regular-permissioned
spool directory and then nncp-xfer into a separate tree with
directories owned as appropriate with sticky bits set. Peers
would have a similar nncp-xfer to pull stuff out of there.
Thanks!
- John
next reply other threads:[~2021-08-04 4:09 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-04 4:08 John Goerzen [this message]
2021-08-04 12:22 ` Setup on unprivileged accounts John Goerzen
2021-08-04 13:50 ` Sergey Matveev
2021-08-04 18:58 ` Jonathan Lane
2021-08-05 4:23 ` John Goerzen