Message-ID:

It is not best to swap horses while crossing the river. -- Abraham Lincoln

computers / news.software.nntp / INN nnrpd-ssl error: "can't read: Permission denied"

INN nnrpd-ssl error: "can't read: Permission denied"

<nsn.20220529112245.919@scatha.ancalagon.de>

https://rocksolidbbs.com/computers/article-flat.php?id=820&group=news.software.nntp#820

copy link Newsgroups: news.software.nntp

Path: i2pn2.org!i2pn.org!news.uzoreto.com!news.szaf.org!thangorodrim.ancalagon.de!.POSTED.scatha.ancalagon.de!not-for-mail
From: thh@thh.name (Thomas Hochstein)
Newsgroups: news.software.nntp
Subject: INN nnrpd-ssl error: "can't read: Permission denied"
Date: Sun, 29 May 2022 11:22:46 +0200
Message-ID: <nsn.20220529112245.919@scatha.ancalagon.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Injection-Info: thangorodrim.ancalagon.de; posting-host="scatha.ancalagon.de:10.0.1.1";
logging-data="6401"; mail-complaints-to="abuse@th-h.de"
User-Agent: ForteAgent/8.00.32.1272
X-NNTP-Posting-Date: Sun, 29 May 2022 11:22:45 +0200
X-Clacks-Overhead: GNU Terry Pratchett
Cancel-Lock: sha1:3krlEZ7RM2cuH9hfddiMMjegeMY=
X-Face: *OX>R5kq$7DjZ`^-[<HL?'n9%\ZDfCz/_FfV0_tpx7w{Vv1*byr`TC\[hV:!SJosK'1gA>1t8&@'PZ-tSFT*=<}JJ0nXs{WP<@(=U!'bOMMOH&Q0}/(W_d(FTA62<r"l)J\)9ERQ9?6|_7T~ZV2Op*UH"2+1f9[va

by: Thomas Hochstein - Sun, 29 May 2022 09:22 UTC

Hi,

sometimes nnrpd, using TLS, will log an error message I don't understand:
| May 28 xx:52:38 nnrpd-ssl[25759]: 2a02:8108:8dc0:[...] can't read: Permission denied

(nnrpd-ssl is a symlink to nnrpd)

It's always the same user, AFAIS, and it's logged together with a
"timeout" message, before the connection terminates, like that
(identifying information removed):
| May 28 xx:06:10 nnrpd-ssl[25759]: starttls: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) no authentication
| May 28 xx:06:10 nnrpd-ssl[25759]: ? reverse lookup for 2a02:8108:8dc0:[...] failed: Name or service not known -- using IP address for access
| May 28 xx:06:10 nnrpd-ssl[25759]: 2a02:8108:8dc0:[...] (2a02:8108:8dc0:[...]) connect - port 119
| May 28 xx:06:11 nnrpd-ssl[25759]: SERVER perl filtering enabled
| May 28 xx:06:11 nnrpd-ssl[25759]: 2a02:8108:8dc0:[...] user [...]
| May 28 xx:06:11 nnrpd-ssl[25759]: 2a02:8108:8dc0:[...] user [...]
| May 28 xx:06:11 nnrpd-ssl[25759]: 2a02:8108:8dc0:[...] group [...] 0
| [...]
| May 28 xx:06:15 nnrpd-ssl[25759]: 2a02:8108:8dc0:[...] group [...] 0
| May 28 xx:52:38 nnrpd-ssl[25759]: 2a02:8108:8dc0:[...] can't read: Permission denied
| May 28 xx:52:38 nnrpd-ssl[25759]: 2a02:8108:8dc0:[...] timeout
| May 28 xx:52:38 nnrpd-ssl[25759]: 2a02:8108:8dc0:[...] group [...] 0
| May 28 xx:52:38 nnrpd-ssl[25759]: 2a02:8108:8dc0:[...] times user 0.096 system 0.016 idle 0.000 elapsed 2787.580
| May 28 xx:52:38 nnrpd-ssl[25759]: 2a02:8108:8dc0:[...] overstats count 4 hit 10 miss 0 time 0 size 3742 dbz 0 seek 0 get 0 artcheck 0
| May 28 xx:52:38 nnrpd-ssl[25759]: 2a02:8108:8dc0:[...] time 2787581 nntpwrite 3(66)

This does not happen on every connect from that user, and it's not always
the same group before or after the timeout.

Where does that message come from, and what may be the reason?

-thh

Re: INN nnrpd-ssl error: "can't read: Permission denied"

<t6vg2r$1lhc4$1@news.trigofacile.com>

copy mid

https://rocksolidbbs.com/computers/article-flat.php?id=821&group=news.software.nntp#821

copy link Newsgroups: news.software.nntp

Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!news.trigofacile.com!.POSTED.176.143-2-105.abo.bbox.fr!not-for-mail
From: iulius@nom-de-mon-site.com.invalid (Julien ÉLIE)
Newsgroups: news.software.nntp
Subject: Re: INN nnrpd-ssl error: "can't read: Permission denied"
Date: Sun, 29 May 2022 11:57:46 +0200
Organization: Groupes francophones par TrigoFACILE
Message-ID: <t6vg2r$1lhc4$1@news.trigofacile.com>
References: <nsn.20220529112245.919@scatha.ancalagon.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Date: Sun, 29 May 2022 09:57:47 -0000 (UTC)
Injection-Info: news.trigofacile.com; posting-account="julien"; posting-host="176.143-2-105.abo.bbox.fr:176.143.2.105";
logging-data="1754500"; mail-complaints-to="abuse@trigofacile.com"
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0)
Gecko/20100101 Thunderbird/91.9.1
Cancel-Lock: sha1:ltNFB6No9bOAt0K3lSmVVVpvP5c= sha256:/ekfEvXsykw+lJuf9s/cljEICpB8yYpwl2N3EAiDTnY=
sha1:fDyR0XdEknctwmwtwhG1RdJLZf4= sha256:m2VcHng8sLrXCil+As+FiZ5dAJZbrTxcp57Deo8OjyM=
In-Reply-To: <nsn.20220529112245.919@scatha.ancalagon.de>

by: Julien ÉLIE - Sun, 29 May 2022 09:57 UTC

Hi Thomas,

> sometimes nnrpd, using TLS, will log an error message I don't understand:
> | May 28 xx:52:38 nnrpd-ssl[25759]: 2a02:8108:8dc0:[...] can't read: Permission denied
>
> It's always the same user, AFAIS

Do you happen to know which news reader he is using?

> and it's logged together with a
> "timeout" message, before the connection terminates, like that
> (identifying information removed):
> | May 28 xx:06:10 nnrpd-ssl[25759]: starttls: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) no authentication
> | May 28 xx:06:10 nnrpd-ssl[25759]: ? reverse lookup for 2a02:8108:8dc0:[...] failed: Name or service not known -- using IP address for access
> | May 28 xx:06:10 nnrpd-ssl[25759]: 2a02:8108:8dc0:[...] (2a02:8108:8dc0:[...]) connect - port 119

Is nnrpd-ssl listening to port 119 with implicit TLS (session directly
encrypted)?
Or is this client using explicit TLS (connecting to port 119 and then
sending a STARTTLS command)?

> | May 28 xx:06:15 nnrpd-ssl[25759]: 2a02:8108:8dc0:[...] group [...] 0
> | May 28 xx:52:38 nnrpd-ssl[25759]: 2a02:8108:8dc0:[...] can't read: Permission denied
> | May 28 xx:52:38 nnrpd-ssl[25759]: 2a02:8108:8dc0:[...] timeout
>
> This does not happen on every connect from that user, and it's not always
> the same group before or after the timeout.
>
> Where does that message come from, and what may be the reason?

Thanks to tests with Michael, I've recently improved how nnrpd handles
timeouts during TLS sessions.
The following change will be in INN 2.7.0:
https://github.com/InterNetNews/inn/commit/e078fd53a4839593d79402e1ca6c672298ef577b

I hope it will fix the error you see.
Especially when the change consists of no longer SSL_read'ing incoming
data after the close_notify shutdown alert.
nnrpd now does the right logic, described in the (complex) OpenSSL
documentation.

--
Julien ÉLIE

« Il n'y a que le premier pas qui coûte. » (Mme du Deffand)

Re: INN nnrpd-ssl error: "can't read: Permission denied"

<t6vjcj$1livj$1@news.trigofacile.com>

copy mid

https://rocksolidbbs.com/computers/article-flat.php?id=823&group=news.software.nntp#823

copy link Newsgroups: news.software.nntp

Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!news.trigofacile.com!.POSTED.176.143-2-105.abo.bbox.fr!not-for-mail
From: iulius@nom-de-mon-site.com.invalid (Julien ÉLIE)
Newsgroups: news.software.nntp
Subject: Re: INN nnrpd-ssl error: "can't read: Permission denied"
Date: Sun, 29 May 2022 12:54:11 +0200
Organization: Groupes francophones par TrigoFACILE
Message-ID: <t6vjcj$1livj$1@news.trigofacile.com>
References: <nsn.20220529112245.919@scatha.ancalagon.de>
<t6vg2r$1lhc4$1@news.trigofacile.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Date: Sun, 29 May 2022 10:54:11 -0000 (UTC)
Injection-Info: news.trigofacile.com; posting-account="julien"; posting-host="176.143-2-105.abo.bbox.fr:176.143.2.105";
logging-data="1756147"; mail-complaints-to="abuse@trigofacile.com"
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0)
Gecko/20100101 Thunderbird/91.9.1
Cancel-Lock: sha1:eQgwQLVIebQKVc2vH3ho2V0ALI8= sha256:LglhB8uOSFFbKjhs/lc0usZNYd9wUTh0xesZmerbWNI=
sha1:AoxppWBdKTvCkCvYIf2tEuvct5U= sha256:WlVunPYXkv7dQe6fmEo7osqxIbtTQKawaJ3L3C0QXY4=
In-Reply-To: <t6vg2r$1lhc4$1@news.trigofacile.com>

by: Julien ÉLIE - Sun, 29 May 2022 10:54 UTC

Just adding:
> The following change will be in INN 2.7.0:
>
> https://github.com/InterNetNews/inn/commit/e078fd53a4839593d79402e1ca6c672298ef577b

Already in INN 2.6.5 by the way.
In case you have the opportunity to test how INN 2.6.5 (or 2.7.0rc1)
behaves, I would be glad to hear.

--
Julien ÉLIE

« – Dis, je crois avoir entendu parler gothique par là !
– Tu as des visions, Pamplemus ! » (Astérix)

Re: INN nnrpd-ssl error: "can't read: Permission denied"

<t76j0f$36rr$1@bwh01.blueworldhosting.com>

copy mid

https://rocksolidbbs.com/computers/article-flat.php?id=825&group=news.software.nntp#825

copy link Newsgroups: news.software.nntp

Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!feed1.usenet.blueworldhosting.com!.POSTED.023-084-030-207.res.spectrum.com!not-for-mail
From: jesse.rehmer@blueworldhosting.com (Jesse Rehmer)
Newsgroups: news.software.nntp
Subject: Re: INN nnrpd-ssl error: "can't read: Permission denied"
Date: Tue, 31 May 2022 21:30:39 -0500
Organization: BlueWorld Usenet (https://usenet.blueworldhosting.com)
Message-ID: <t76j0f$36rr$1@bwh01.blueworldhosting.com>
References: <nsn.20220529112245.919@scatha.ancalagon.de>
<t6vg2r$1lhc4$1@news.trigofacile.com> <t6vjcj$1livj$1@news.trigofacile.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Date: Wed, 1 Jun 2022 02:30:39 -0000 (UTC)
Injection-Info: bwh01.blueworldhosting.com; posting-account="jesse"; posting-host="023-084-030-207.res.spectrum.com:23.84.30.207";
logging-data="105339"; mail-complaints-to="usenet@blueworldhosting.com"
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0)
Gecko/20100101 Thunderbird/91.9.1
Cancel-Lock: sha1:U3otNeLm3BQdhUE1nZynXeHeOSg= sha256:dGyKyvb5iKyt9x/lXadJSc3EEgN/WkOIJbl0eiGnKbQ=
sha1:j+XaM3ay80ip6DqsoKHR0q4JGOQ= sha256:BIRO2PuFtSO4KZUXrGo9VLHjju9rxjpU5U/YAdttLp4=
Content-Language: en-US
In-Reply-To: <t6vjcj$1livj$1@news.trigofacile.com>

by: Jesse Rehmer - Wed, 1 Jun 2022 02:30 UTC

On 5/29/22 5:54 AM, Julien ÉLIE wrote:
> Just adding:
>> The following change will be in INN 2.7.0:
>>
>> https://github.com/InterNetNews/inn/commit/e078fd53a4839593d79402e1ca6c672298ef577b
>>
>
> Already in INN 2.6.5 by the way.
> In case you have the opportunity to test how INN 2.6.5 (or 2.7.0rc1)
> behaves, I would be glad to hear.
>

It may be worth mentioning either in INSTALL or pgpverify that GnuPG
>2.1.0 will not import or verify most existing (PGP-2) keys. The
--allow-weak-digest-algos option was removed in 2.1
(https://www.gnupg.org/faq/whats-new-in-2.1.html#nopgp2). So one would
most likely want 1.4.x or 2.0.x for the foreseeable future.

Subject	Author
INN nnrpd-ssl error: "can't read: Permission denied"	Thomas Hochstein
Re: INN nnrpd-ssl error: "can't read: Permission denied"	Julien ÉLIE
Re: INN nnrpd-ssl error: "can't read: Permission denied"	Julien ÉLIE
Re: INN nnrpd-ssl error: "can't read: Permission denied"	Jesse Rehmer