public inbox for nncp-devel@lists.stargrave.org Atom feed
* What is /hdr/ subdirectory? @ 2026-03-10 23:28 Hadmut Danisch 2026-03-11 2:50 ` John Goerzen 2026-03-11 7:36 ` What is /hdr/ subdirectory? Sergey Matveev 0 siblings, 2 replies; 11+ messages in thread From: Hadmut Danisch @ 2026-03-10 23:28 UTC (permalink / raw) To: nncp-devel [-- Attachment #1: Type: text/plain, Size: 588 bytes --] Hi, technical question because I'm hunting a bug: In /var/spool/nncp/*/tx there is a subdirectory /hdr/ . There is always a pair of files, eg. tx/7SM43TMJGSV3RGBZT4RPYK4XJN3HSMBGWPLEIBI2IMZPABREB4BQ tx/hdr/7SM43TMJGSV3RGBZT4RPYK4XJN3HSMBGWPLEIBI2IMZPABREB4BQ and I'm hunting the problem, why they do have different ownerships, the hdr file is owned by root and silently skipped by the daemon. For some reason, the hdr file is generated significantly later (here: 10min). So my question is: What is the /hdr/ file? On what occasion is it generated? regards Hadmut [-- Attachment #2: Type: text/html, Size: 1350 bytes --] ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: What is /hdr/ subdirectory? 2026-03-10 23:28 What is /hdr/ subdirectory? Hadmut Danisch @ 2026-03-11 2:50 ` John Goerzen 2026-03-11 11:51 ` Permissions (Was: What is /hdr/ subdirectory?) Hadmut Danisch 2026-03-11 7:36 ` What is /hdr/ subdirectory? Sergey Matveev 1 sibling, 1 reply; 11+ messages in thread From: John Goerzen @ 2026-03-11 2:50 UTC (permalink / raw) To: Hadmut Danisch; +Cc: nncp-devel Hi Hadmut, Sergey has some information about it here: https://nncp.mirrors.quux.org/Spool.html#HdrFile You can also use a nohdr option in the config file or on the command line to suppress this. They can be safely removed also. - John On Wed, Mar 11 2026, Hadmut Danisch wrote: > Hi, > > technical question because I'm hunting a bug: > > In /var/spool/nncp/*/tx there is a subdirectory /hdr/ . > > There is always a pair of files, eg. > > tx/7SM43TMJGSV3RGBZT4RPYK4XJN3HSMBGWPLEIBI2IMZPABREB4BQ > tx/hdr/7SM43TMJGSV3RGBZT4RPYK4XJN3HSMBGWPLEIBI2IMZPABREB4BQ > > and I'm hunting the problem, why they do have different ownerships, the hdr file is > owned by root and silently skipped by the daemon. > > For some reason, the hdr file is generated significantly later (here: 10min). > > So my question is: What is the /hdr/ file? On what occasion is it generated? > > regards > > Hadmut ^ permalink raw reply [flat|nested] 11+ messages in thread
* Permissions (Was: What is /hdr/ subdirectory?) 2026-03-11 2:50 ` John Goerzen @ 2026-03-11 11:51 ` Hadmut Danisch 2026-03-11 12:08 ` Permissions John Goerzen 0 siblings, 1 reply; 11+ messages in thread From: Hadmut Danisch @ 2026-03-11 11:51 UTC (permalink / raw) To: John Goerzen; +Cc: nncp-devel Hi, I've found the problem. The debian/ubuntu nncp package comes with a flaw: In contrast to e.g. uucp, the nncp package creates a nncp user and sets ownership of /var/spool/nncp to nncp, but does not set the binaries setuid nncp, as, e.g. uucp does. The binaries are, therefore, always run as the user who calls them. - it works, when run as nncp - it partly works when run as root, because all files can be written and read as root, but nncp-daemon and nncp-caller can't access them then. - it does not work at all when called by someone else, because the program can't access /etc/nncp.yaml or /var/spool/nncp. To fix this, I have set _some_ of the binaries setuid nncp. Which, on the other hand, is a security flaw, because every user on the system can rm nncp messages. But it worked. I hadn't set nncp-stat, because I thought, it only reads files. Every now and then I call nncp-stat as root to check everything is working correct. This causes the /hdr/ files to be written, but with ownership root. Once the /hdr/ file is owned by root, nncp-daemon silently ignores them and the messages is never transmitted. Not even an error message. A chown -R nncp:nncp /var/spool/nncp fixes things temporarily, and nncp-daemon can transmit them with next run – until the admin calls nncp-stat again. So this is somewhat error prone. And it lacks a description about how this – ownership and permissions – is supposed to work. nncp-daemon should issue an error message if it can't read the /hdr/ file instead of silently ignoring the message. Proposal: - If the binaries are run as nncp or setuid nncp (i.e. same owner as /etc/nncp.yaml and/or /var/spool/nncp): If it can access /etc/nncp.yaml and /var/spool/nncp run as normal, otherwise abort with error message - if run as root, write files and create directories with the same uid/gid as /var/spool/nncp , or at least with g+rw and /var/spool/nncp set to g+s, to force all created files and directory to have nncp as their group and group rw permissions. - otherwise, if run as a normal user, use ~/.config/nncp.yaml and ~/.local/spool/nncp instead of /etc/nncp.yaml and /var/spool/nncp regards Hadmut ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Permissions 2026-03-11 11:51 ` Permissions (Was: What is /hdr/ subdirectory?) Hadmut Danisch @ 2026-03-11 12:08 ` John Goerzen 2026-03-11 12:32 ` Permissions Hadmut Danisch 0 siblings, 1 reply; 11+ messages in thread From: John Goerzen @ 2026-03-11 12:08 UTC (permalink / raw) To: Hadmut Danisch; +Cc: nncp-devel On Wed, Mar 11 2026, Hadmut Danisch wrote: > The debian/ubuntu nncp package comes with a flaw: In contrast to e.g. uucp, the > nncp package creates a nncp user and sets ownership of /var/spool/nncp to nncp, > but does not set the binaries setuid nncp, as, e.g. uucp does. That's not a flaw; that's a feature. setuid is a security risk, and makes the assumption that every user on the system wants to run the systemwide NNCP. That's not really necessary with NNCP; it is entirely possible for every user to have their own NNCP instance that runs right out of their home directory, for instance. It also makes the assumption that you want every user on the system to be able to run the NNCP commands, which isn't an assumption I'd make. If you don't want that kind of access, then you'd have to additionally layer some sort of access check mechanism in NNCP itself, which is unnecessary complexity. You can use sudo to run NNCP commands as other users. Note that if you are using nncp-file to send a file that the nncp user can't access, you'll need to pipe it to nncp-file instead. In my .bash_aliases, I have: for FILE in /usr/bin/nncp-*; do BASENAME="`basename "$FILE"`" alias "$BASENAME=sudo -Hu nncp $FILE" done https://www.complete.org/using-nncp-with-sudo/ has some more information on this. It also describes how you can have a central nncp user on a system, and then use sudo to let it communicate with user-specific NNCP installations on it. > To fix this, I have set _some_ of the binaries setuid nncp. Which, on the other > hand, is a security flaw, because every user on the system can rm nncp messages. > But it worked. That will be blown away when the NNCP package is upgraded; see dpkg-statoverride for a way to make it more permanent. Though note that due to the change from multiple binaries to a single binary, even that won't quite be enough for the next upgrade only. > So this is somewhat error prone. And it lacks a description about how this – > ownership and permissions – is supposed to work. I wouldn't really recommend running NNCP commands as root (or PHP or whatever else). > nncp-daemon should issue an error message if it can't read the /hdr/ file > instead of silently ignoring the message. Probably a good idea for Sergey there. Or it can just ignore the hdr file. > - otherwise, if run as a normal user, use ~/.config/nncp.yaml and > ~/.local/spool/nncp instead of /etc/nncp.yaml and /var/spool/nncp That's also a nice suggestion! - John ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Permissions 2026-03-11 12:08 ` Permissions John Goerzen @ 2026-03-11 12:32 ` Hadmut Danisch 2026-03-11 16:27 ` Permissions John Goerzen ` (2 more replies) 0 siblings, 3 replies; 11+ messages in thread From: Hadmut Danisch @ 2026-03-11 12:32 UTC (permalink / raw) To: John Goerzen; +Cc: nncp-devel Am 11.03.26 um 13:08 schrieb John Goerzen: > That's not a flaw; that's a feature. setuid is a security risk, and > makes the assumption that every user on the system wants to run the > systemwide NNCP. That's not really necessary with NNCP; it is entirely > possible for every user to have their own NNCP instance that runs right > out of their home directory, for instance. So what is the user nncp and /var/spool/nncp good for, if no one could ever use it by design? Should every single process (postfix, databases,...) which is supposed to send files, have it's own nncp configuration and daemon? I'm not talking about individual users. I'm talking about several services which should send backups, transfer e-mails and so on. Should they share a spool, a configuration, and a key, or should they have their own one? regards Hadmut ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Permissions 2026-03-11 12:32 ` Permissions Hadmut Danisch @ 2026-03-11 16:27 ` John Goerzen 2026-03-11 16:35 ` Permissions Hadmut Danisch 2026-03-11 16:30 ` Permissions John Goerzen 2026-03-15 8:17 ` Permissions Sergey Matveev 2 siblings, 1 reply; 11+ messages in thread From: John Goerzen @ 2026-03-11 16:27 UTC (permalink / raw) To: Hadmut Danisch; +Cc: nncp-devel On Wed, Mar 11 2026, Hadmut Danisch wrote: > So what is the user nncp and /var/spool/nncp good for, if no one could ever use > it by design? > > Should every single process (postfix, databases,...) which is supposed to send > files, have it's own nncp configuration and daemon? That's really up to you. As a distribution maintainer, I can't be making presumptions about all those things, especially in the direction of weakening security by default. In my own case, for nncpnet, I simply add "user = nncp" in the exim transport configuration. For my Usenet server, I add the news user to the nncp group and make /var/spool/news setgid. Perhaps not the best, as the news user can then read the nncp.hjson file, but I could as easily use sudo to call it (perhaps I should do that). In any case, it's a single-use container so that makes reasonable sense. > I'm not talking about individual users. I'm talking about several services which > should send backups, transfer e-mails and so on. Should they share a spool, a > configuration, and a key, or should they have their own one? It is up to you. They could: - All share the same configuration and be a member of the nncp group. Drawbacks is that they could then read the private keys. - Share the same configruation, but call nncp utilities via sudo. Benefits of that are restricting actions to specific nncp commands and isolating the private keys from the calling accounts. - Each have its own nncp installation, which could either directly interface with remote systems, or spool up to a local "hub" installation via nncp-xfer or regular call/daemon configuration, possibly via sudo UUCP was more prescriptive about system design, in part because it was from an earlier era where security was thought about differently, and in part because it required access to shared systemwide resources (modems) that often were restricted from user accounts. TCP isn't single-user in the way a serial line is, so more flexible options are possible with NNCP. Incidentally, this is also why I ship example systemd service files for NNCP but do not activate them by default in the .debs. There are too many possible permutations of configurations for me to accurately anticipate what the user is likely to need. One could argue that creating the nncp user and group falls into that category as well, and not without merit. On the other hand, if somebody never uses the nncp user and group, it creates no actual change in system behavior, unlike, say, starting nncp-daemon, which opens a port. - John ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Permissions 2026-03-11 16:27 ` Permissions John Goerzen @ 2026-03-11 16:35 ` Hadmut Danisch 2026-03-11 16:48 ` Permissions John Goerzen 0 siblings, 1 reply; 11+ messages in thread From: Hadmut Danisch @ 2026-03-11 16:35 UTC (permalink / raw) To: John Goerzen; +Cc: nncp-devel Am 11.03.26 um 17:27 schrieb John Goerzen: > They could: > > - All share the same configuration and be a member of the nncp group. > Drawbacks is that they could then read the private keys. > > - Share the same configruation, but call nncp utilities via sudo. > Benefits of that are restricting actions to specific nncp commands and > isolating the private keys from the calling accounts. > > - Each have its own nncp installation, which could either directly > interface with remote systems, or spool up to a local "hub" > installation via nncp-xfer or regular call/daemon configuration, > possibly via sudo What about writing nncp so that it deals properly with the task and has none of the drawbacks? ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Permissions 2026-03-11 16:35 ` Permissions Hadmut Danisch @ 2026-03-11 16:48 ` John Goerzen 0 siblings, 0 replies; 11+ messages in thread From: John Goerzen @ 2026-03-11 16:48 UTC (permalink / raw) To: Hadmut Danisch; +Cc: nncp-devel On Wed, Mar 11 2026, Hadmut Danisch wrote: > What about writing nncp so that it deals properly with the task and has none of > the drawbacks? I'm not the author of nncp, but from my perspective it already pretty much is, modulo a couple of minor tweaks you pointed out. I mean, what do you propose? setuid/setgid brings along a whole host of problems. Now any user on the system can invoke the tool. There are very few setuid/setgid programs anymore on a modern system, and for good reason. On my system, which has a fair amount of software installed, the setuid ones all seem to have system functions (passwd, mount, etc). The only other one is procmail, and that has to do with writing into user directories from MTAs that aren't capable of running it as the user, I suppose. I think it's a good thing that we have more modern design patterns now. You can already set it up as a central daemon on the system where individual users connect to if you want, and I've documented how to do that also. There's nothing stopping you from running a separate nncp for email, another for backups, etc. and they all just transfer files to the central daemon running as nncp. - John ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Permissions 2026-03-11 12:32 ` Permissions Hadmut Danisch 2026-03-11 16:27 ` Permissions John Goerzen @ 2026-03-11 16:30 ` John Goerzen 2026-03-15 8:17 ` Permissions Sergey Matveev 2 siblings, 0 replies; 11+ messages in thread From: John Goerzen @ 2026-03-11 16:30 UTC (permalink / raw) To: Hadmut Danisch; +Cc: nncp-devel On Wed, Mar 11 2026, Hadmut Danisch wrote: > So what is the user nncp and /var/spool/nncp good for, if no one could ever use > it by design? I guess I should say, I do use this on every installation of mine. My typical laptop setup is to have the systemwide installation there, have it dump incoming files into a directory I have access to as my regular user, restrict nncp.hjson to just the nncp user, and use sudo from my regular user account to call nncp utilities, as documented before. For incoming nncp-exec packets, I use sudo in nncp.hjson to process them as whatever user is appropriate. - John ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Permissions 2026-03-11 12:32 ` Permissions Hadmut Danisch 2026-03-11 16:27 ` Permissions John Goerzen 2026-03-11 16:30 ` Permissions John Goerzen @ 2026-03-15 8:17 ` Sergey Matveev 2 siblings, 0 replies; 11+ messages in thread From: Sergey Matveev @ 2026-03-15 8:17 UTC (permalink / raw) To: nncp-devel [-- Attachment #1: Type: text/plain, Size: 760 bytes --] Greetings! *** Hadmut Danisch [2026-03-11 13:32]: >I'm not talking about individual users. I'm talking about several services >which should send backups, transfer e-mails and so on. Should they share a >spool, a configuration, and a key, or should they have their own one? I did not think about those questions, because there are many possible use-cases all of which with with own drawbacks and conveniences. It is up to end-users/maintainers. setuid solutions is questionable, as John pointed out. I do not want to say that it is not acceptable at all (I used it in other Go projects), but currently do not have any opinion on it. -- Sergey Matveev (http://www.stargrave.org/) LibrePGP: 12AD 3268 9C66 0D42 6967 FD75 CB82 0563 2107 AD8A [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 265 bytes --] ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: What is /hdr/ subdirectory? 2026-03-10 23:28 What is /hdr/ subdirectory? Hadmut Danisch 2026-03-11 2:50 ` John Goerzen @ 2026-03-11 7:36 ` Sergey Matveev 1 sibling, 0 replies; 11+ messages in thread From: Sergey Matveev @ 2026-03-11 7:36 UTC (permalink / raw) To: nncp-devel [-- Attachment #1: Type: text/plain, Size: 1089 bytes --] Greetings! *** Hadmut Danisch [2026-03-11 00:28]: >and I'm hunting the problem, why they do have different ownerships, the hdr >file is owned by root and silently skipped by the daemon. Maybe different toss/daemon processes running at different times with different permissions/owners. >So my question is: What is the /hdr/ file? On what occasion is it generated? It is just a "cached" version of encrypted packet's header. Just its stripped part. There are options to disable its generation entirely. That feature was created to speed up process of listing/searching in big spools on ZFS. ZFS uses by default rather big records: 128KiB. So reading even a single byte of the packet, will lead to at least reading of the single block, which is up to 128KiB (before compression). That leads to big read-amplification during searching for packets in the spool with acceptable niceness. Those hdr files is just a hack to prevent that read-amplification. -- Sergey Matveev (http://www.stargrave.org/) LibrePGP: 12AD 3268 9C66 0D42 6967 FD75 CB82 0563 2107 AD8A [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 265 bytes --] ^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2026-03-15 8:18 UTC | newest] Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2026-03-10 23:28 What is /hdr/ subdirectory? Hadmut Danisch 2026-03-11 2:50 ` John Goerzen 2026-03-11 11:51 ` Permissions (Was: What is /hdr/ subdirectory?) Hadmut Danisch 2026-03-11 12:08 ` Permissions John Goerzen 2026-03-11 12:32 ` Permissions Hadmut Danisch 2026-03-11 16:27 ` Permissions John Goerzen 2026-03-11 16:35 ` Permissions Hadmut Danisch 2026-03-11 16:48 ` Permissions John Goerzen 2026-03-11 16:30 ` Permissions John Goerzen 2026-03-15 8:17 ` Permissions Sergey Matveev 2026-03-11 7:36 ` What is /hdr/ subdirectory? Sergey Matveev