Re: nncp-sudo - Sergey Matveev

public inbox for nncp-devel@lists.cypherpunks.ru
Atom feed

From: Sergey Matveev <stargrave@stargrave•org>
To: nncp-devel@lists.cypherpunks.ru
Subject: Re: nncp-sudo
Date: Fri, 20 Aug 2021 14:11:20 +0300	[thread overview]
Message-ID: <YR+N2CZcndUkCJN1@stargrave.org> (raw)
In-Reply-To: <87wnogeq8n.fsf@complete.org>

[-- Attachment #1: Type: text/plain, Size: 2516 bytes --]

Greetings!

*** John Goerzen [2021-08-19 22:42]:
>I also have a more detailed exploration of how sudo and NNCP can work
>together, both for exchanging data between two different NNCP installations
>on a local machine, and for cases where NNCP runs as a different user than
>your regular user.
>https://github.com/jgoerzen/nncp-tools/blob/main/docs/nncp-sudo.org

And yet again, possibly stupid question out of curiosity: isn't the
ordinary Unix permissions are not enough? I assume that there is some
host with two (or more) users, sharing the same spool. Honestly I do not
remember if I tried the setup, but because
http://www.nncpgo.org/Administration.html#Shared-spool
page exists, seems that I tried it. The problem out-of-box is that newly
created files are owned solely by the user who called nncp-commands.
Let's try to "bias" the permissions to the group:

* create "nncp"/whatever group with the users allowed to share NNCP
  installation (spool/logs)
* chgrp -R nncp $NNCPCFG $NNCPLOG $NNCPSPOOL
* allow group reading of the configuration file: chmod g+r $NNCPCFG
* allow group reading/writing of the spool: chmod -R g+rwx $NNCPSPOOL
* force group owning of the spool, so newly created packets won't be
  owned by user's group: chmod -R g+s $NNCPSPOOL
* by default many users have umask 022. Personally I have umask 077.
  That will prohibit read/write of newly created packets in the spool,
  even taking the fact that they are owned (because of chmod-setgid) by
  "nncp" group. Let's force necessary umask usage:
      echo 'umask: "007"' >> $NNCPCFG

That way all newly created/generated packets will be owned by different
users, but with the same common "nncp" group, having RW-access.

Personally I run nncp-daemon mainly on 540 TCP-port ("uucp" one) and
that requires root privileges to listen on. That is why I use
ucspi-tcp+daemontools to run tcpserver (utility from UCSPI-TCP) under
root, that runs setuidgid-ed nncp-daemon when connection is established
(with capturing log in separate file through the separate daemon running
under different privileges):

    # cat /var/service/nncp-daemon/run
    #!/bin/sh -e
    NNCPLOG=FD:4 exec envuidgid uucp tcpserver -DHRU -l 0 ::0 uucp \
      nncp-daemon -ucspi -quiet -autotoss 4>&1

    # cat /var/service/nncp-daemon/log/run
    #!/bin/sh -e
    exec setuidgid stargrave multilog ./main

-- 
Sergey Matveev (http://www.stargrave.org/)
OpenPGP: CF60 E89A 5923 1E76 E263  6422 AE1A 8109 E498 57EF

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

next prev parent reply	other threads:[~2021-08-20 11:11 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-08-20  3:42 ANN: Tunnelling NNCP over (ssh, sudo, tor, S3, Nextcloud, syncthing, uucp) John Goerzen
2021-08-20 10:52 ` Sergey Matveev
2021-08-20 12:36   ` John Goerzen
2021-08-21 18:30     ` Sergey Matveev
2021-08-24  2:31       ` John Goerzen
2021-08-24  8:35         ` Frank Doepper
2021-08-24 10:12           ` Sergey Matveev
2021-08-24 10:09         ` Sergey Matveev
2021-08-20 11:11 ` Sergey Matveev [this message]
2021-08-20 12:30   ` nncp-sudo John Goerzen
2021-08-21 19:02     ` nncp-sudo Sergey Matveev
2021-08-24  2:35       ` nncp-sudo John Goerzen
2021-08-25 19:24         ` nncp-sudo Jonathan Lane
2021-08-25 20:31           ` nncp-sudo John Goerzen