Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
|
01-09-2002, 07:46 PM
|
#1
|
Member
Registered: Dec 2001
Posts: 195
Rep:
|
Sendmail - RunAsUser=sendmail:mail/What files to i have to change
My security book says its a great idea to use the RunAsUser option in sendmail. It says you also have to change ownership on many files including /var/spool/mqueue, alias lists, and :include: files. UMMMMM.......Does someone know exactly what files need to be changed. Im afraid Ill mess something up once again. I have no idea what alias lists and :include: files are.
Thanks
|
|
|
01-10-2002, 06:07 PM
|
#3
|
Member
Registered: Dec 2001
Posts: 195
Original Poster
Rep:
|
Why am i getting this error?
The permisssions look ok
My sendmail.cf has:
O RunAsUser=sendmail:mail
I created it via:
useradd sendmail -g mail
???
-rw-r--r-- 1 sendmail mail 424 Jan 8 18:37 access
-rw-r--r-- 1 sendmail mail 12288 Jan 10 18:54 access.db
-rw-r--r-- 1 sendmail mail 0 Mar 3 2001 domaintable
-rw-r--r-- 1 sendmail mail 12288 Jan 10 18:54 domaintable.db
-rw-r--r-- 1 sendmail mail 0 Jan 7 06:54 helpfile
-rw-r--r-- 1 sendmail mail 79 Jan 7 07:09 local-host-names
-rw-r--r-- 1 sendmail mail 0 Mar 3 2001 mailertable
-rw-r--r-- 1 sendmail mail 12288 Jan 10 18:54 mailertable.db
-rw-r--r-- 1 sendmail mail 611 Mar 3 2001 Makefile
-rw-r--r-- 1 sendmail mail 15 Jan 7 07:07 relay-domains
-rw-r--r-- 1 sendmail mail 2292 Jan 7 06:55 sendmail.mc
-rw-r--r-- 1 sendmail mail 127 Mar 3 2001 trusted-users
-rw-r--r-- 1 sendmail mail 0 Mar 3 2001 virtusertable
-rw-r--r-- 1 sendmail mail 12288 Jan 10 18:54 virtusertable.db
/etc/rc.d/init.d/sendmail start
Starting sendmail: makemap: error opening type hash map /etc/mail/virtusertable: Permission denied
makemap: error opening type hash map /etc/mail/access: Permission denied
makemap: error opening type hash map /etc/mail/domaintable: Permission denied
makemap: error opening type hash map /etc/mail/mailertable: Permission denied
[ OK ]
|
|
|
01-11-2002, 12:59 AM
|
#4
|
Moderator
Registered: May 2001
Posts: 29,417
|
RunAsUser=<username>, IIRC, not RunAsUser=<username>:<group>
|
|
|
01-12-2002, 03:07 PM
|
#5
|
Member
Registered: Dec 2001
Posts: 195
Original Poster
Rep:
|
total 40
Same error when RunAsUser=sendmail
-rw----r-- 1 sendmail sendmail 424 Jan 8 18:37 access
-rw-r--r-- 1 sendmail sendmail 12288 Jan 12 15:04 access.db
-rw-r--r-- 1 sendmail sendmail 0 Mar 3 2001 domaintable
-rw-r--r-- 1 sendmail sendmail 12288 Jan 12 15:04 domaintable.db
-rw-r--r-- 1 sendmail sendmail 0 Jan 7 06:54 helpfile
-rw-r--r-- 1 sendmail sendmail 79 Jan 7 07:09 local-host-names
-rw-r--r-- 1 sendmail sendmail 0 Mar 3 2001 mailertable
-rw-r--r-- 1 sendmail sendmail 12288 Jan 12 15:04 mailertable.db
-rw-r--r-- 1 sendmail sendmail 611 Mar 3 2001 Makefile
-rw-r--r-- 1 sendmail sendmail 15 Jan 7 07:07 relay-domains
-rw-r--r-- 1 sendmail sendmail 2292 Jan 7 06:55 sendmail.mc
-rw-r--r-- 1 sendmail sendmail 127 Mar 3 2001 trusted-users
-rw-r--r-- 1 sendmail sendmail 0 Mar 3 2001 virtusertable
-rw-r--r-- 1 sendmail sendmail 12288 Jan 12 15:04 virtusertable.db
/etc/rc.d/init.d/sendmail start
Starting sendmail: makemap: error opening type hash map /etc/mail/virtusertable: Permission denied
makemap: error opening type hash map /etc/mail/access: Permission denied
makemap: error opening type hash map /etc/mail/domaintable: Permission denied
makemap: error opening type hash map /etc/mail/mailertable: Permission denied
[ OK ]
If the runasuser is sendmail and he owns these files, why am i getting these errors?
Thanks
|
|
|
01-12-2002, 06:36 PM
|
#6
|
Moderator
Registered: May 2001
Posts: 29,417
|
can RunAsUser read/write /etc/aliases(.db)?
|
|
|
01-13-2002, 08:44 AM
|
#7
|
Member
Registered: Dec 2001
Posts: 195
Original Poster
Rep:
|
ls -l /etc/mail
-rw-r--r-- 1 sendmail sendmail 424 Jan 8 18:37 access
-rw-r--r-- 1 sendmail sendmail 12288 Jan 12 16:06 access.db
-rw-r--r-- 1 sendmail sendmail 0 Mar 3 2001 domaintable
-rw-r--r-- 1 sendmail sendmail 12288 Jan 12 16:06 domaintable.db
-rw-r--r-- 1 sendmail sendmail 0 Jan 7 06:54 helpfile
-rw-r--r-- 1 sendmail sendmail 79 Jan 7 07:09 local-host-names
-rw-r--r-- 1 sendmail sendmail 0 Mar 3 2001 mailertable
-rw-r--r-- 1 sendmail sendmail 12288 Jan 12 16:06 mailertable.db
-rw-r--r-- 1 sendmail sendmail 611 Mar 3 2001 Makefile
-rw-r--r-- 1 sendmail sendmail 15 Jan 7 07:07 relay-domains
-rw-r--r-- 1 sendmail sendmail 2292 Jan 7 06:55 sendmail.mc
-rw-r--r-- 1 sendmail sendmail 127 Mar 3 2001 trusted-users
-rw-r--r-- 1 sendmail sendmail 0 Mar 3 2001 virtusertable
-rw-r--r-- 1 sendmail sendmail 12288 Jan 12 16:06 virtusertable.db
ls -l /etc/aliases.db
-rw-r--r-- 1 sendmail sendmail 12288 Jan 12 16:06 /etc/aliases.db
ls -al /var/spool/mqueue
total 8
drwxr-xr-x 2 sendmail sendmail 4096 Jan 12 17:17 .
drwxr-xr-x 14 root root 4096 Jan 7 20:44 ..
whereis sendmail
sendmail: /usr/sbin/sendmail /etc/sendmail.cf /usr/lib/sendmail /usr/share/man/man8/sendmail.8.gz
ls -l /usr/sbin/sendmail
-r-sr-xr-x 1 sendmail sendmail 417828 Mar 3 2001 /usr/sbin/sendmail
ls -l /etc/sendmail.cf
-rw-r--r-- 1 sendmail sendmail 46454 Jan 13 09:28 /etc/sendmail.cf
ls -l /usr/lib/sendmail
lrwxrwxrwx 1 sendmail sendmail 16 Jan 7 01:41 /usr/lib/sendmail -> ../sbin/sendmail
ls -l /usr/share/man/man8/sendmail.8.gz
-rw-r--r-- 1 sendmail sendmail 6387 Mar 3 2001 /usr/share/man/man8/sendmail.8.gz
doesnt this look right? My concern is: Its says all maps and all :include: files must be readable. Am i missing something?
THanks so much
|
|
|
01-13-2002, 08:47 AM
|
#8
|
Member
Registered: Dec 2001
Posts: 195
Original Poster
Rep:
|
Left one out.
ls -l aliases
-rw-r--r-- 1 sendmail sendmail 1048 Mar 3 2001 aliases
|
|
|
01-13-2002, 10:38 AM
|
#9
|
Moderator
Registered: May 2001
Posts: 29,417
|
chown sendmail.sendmail /var/lib/mailertable
also check your /var/log/mail(log) for failures.
|
|
|
01-13-2002, 11:10 AM
|
#10
|
Member
Registered: Dec 2001
Posts: 195
Original Poster
Rep:
|
/var/lib/mailertable doesnt exist.
LOG
Jan 13 12:02:03 myhost sendmail[1108]: NOQUEUE: SYSERR(root): drop_privileges: setuid(0) succeeded (when it should
not): Operation not permitted
Jan 13 12:02:03 myhost sendmail[1118]: starting daemon (8.11.2): SMTP+queueing@01:00:00
Jan 13 12:02:03 myhost sendmail[1118]: NOQUEUE: SYSERR(root): opendaemonsocket: daemon MTA: cannot bind: Permissio
n denied
Jan 13 12:02:03 myhost sendmail[1118]: daemon MTA: problem creating SMTP socket
Jan 13 12:02:03 myhost sendmail[1118]: NOQUEUE: SYSERR(root): opendaemonsocket: daemon MTA: server SMTP socket wed
ged: exiting
UHHHHHHHH and this means???????
|
|
|
01-13-2002, 11:36 AM
|
#11
|
Moderator
Registered: May 2001
Posts: 29,417
|
Sendmail binary needs to bind to a socket < 1024, so it needs an UID that is allowed these privileges. Thats why the doc's handling say it uses the RunAsUser UID after binding to the socket, your sendmail binary is setuid sendmail, and not setuid root, and thats why the rest of the files need to be readable by the RunAsUser UID.
Btw, mailertable should exist somewhere, because it's needed by the makemap utility:
"find / -name mailertable -print" should show it.
|
|
|
01-13-2002, 12:01 PM
|
#12
|
Member
Registered: Dec 2001
Posts: 195
Original Poster
Rep:
|
I changed ownership of /usr/lib/sendmail and /usr/sbin/sendmail to root and still get same errors.
mailertable is located in /etc/mail and is owned by sendmail
Im not sure why im having so much problems. Im researching on the net and every single article assumes you know everything.
THanks
|
|
|
01-13-2002, 01:40 PM
|
#13
|
Moderator
Registered: May 2001
Posts: 29,417
|
Ok. Ill just give a rundown of what I did to make use of the RunAsUser "feature". I already got the user "mail", I'm using Linuxconf to handle rendering sendmail.cf, and I've got my extra options in /etc/mail/mailconf/stdoptions.cf (the horror, the horror). Hope this checklist helps and I didnt forget anything essential.
1. Add lines to stdoptions.cf so they get processed (else use /etc/mail/sendmail.mc and use the proper m4 calls):
# Suid user
O RunAsUser=mail
# Cant write /var/run
O PidFile=/tmp/sendmail.pid
# Who owns files
O TrustedUser=mail
# Uid running mailer
# see CERT about sendmail buffer overflows.
O DefaultUser=mailnull
2. "mailconf --generatecf" or render with "m4 /etc/mail/sendmail.mc > /etc/sendmail.cf"
*note mailconf also does the "makemap -o hash etc etc" stuff.
3. "chown -R mail.mail /etc/mail; chown mail.mail /etc/aliase* /etc/sendmail* /var/spool/{mqueue,mail} /var/lib/mailertab*"
4. restart sendmail and check its logs.
This works for me
Last edited by unSpawn; 01-13-2002 at 01:44 PM.
|
|
|
01-14-2002, 08:01 AM
|
#14
|
Member
Registered: Dec 2001
Posts: 195
Original Poster
Rep:
|
Thanks unSpawn. I did exactly what you posted and it worked. I was missing some of the sendmail.cf stuff.
One last question regarding this. Im using qpopper for pop3. Now that sendmail runs as user sendmail, qpopper has a problem. I can no longer send or receive mail via pop3. Im not sure if this is a config change on the sendmail side or the qpopper side. I have went through both configs and I cant figure this out. I have also searched and come up empty handed.
Maybe you know or can direct me to somewhere that i can search to figure this out.
Thanks as always.
Things that come simple to others is a true mofo for me.
|
|
|
01-14-2002, 11:39 AM
|
#15
|
Moderator
Registered: May 2001
Posts: 29,417
|
First guess would be to check the qpopper log for errors, if none show up check the sendmail log, if none show up, start qpopper with the -d option and see if it adds debugging info to its log, (same for sendmail if its sendmail related ofcuz). If this doesn't do a thing check the permissions on where qpopper is sposed to write its dotlocks (mail spool), it expects "root.mail", where you just made it "sendmail.sendmail", so maybe we should make it "sendmail.mail", or "root.sendmail" and "chmod 0770 /var/mail" so its writable for owner and group. If this doesn't do a thing check the Qpopper manual/faq/website...
HTH somehow, plz report back any clues, ok, I'm no guru :-]
|
|
|
All times are GMT -5. The time now is 04:19 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|