[AMaViS-user] amavisd-new 2.6.x does not run chrooted on *BSD

permalink · #1 (**permalink**) 05-27-2008

Hi,

on *BSD (at least tested with FreeBSD 6.x and 7.x and OpenBSD 4.3)
amavisd-new does not run chrooted:

[root@FBSD70VM ~]# amavisd debug
May 22 10:47:51.064 FBSD70VM.v-pe.de /usr/local/sbin/amavisd[81036]:
starting. /usr/local/sbin/amavisd at FBSD70VM.v-pe.de amavisd-new-2.6.0
(20080423), Unicode aware
May 22 10:47:51.065 FBSD70VM.v-pe.de /usr/local/sbin/amavisd[81036]: user=,
EUID: 110 (110); group=, EGID: 110 110 (110 110)
May 22 10:47:51.065 FBSD70VM.v-pe.de /usr/local/sbin/amavisd[81036]: Perl
version 5.008008
May 22 10:47:51.853 FBSD70VM.v-pe.de /usr/local/sbin/amavisd[81036]: INFO:
SA version: 3.2.4, 3.002004, no optional modules:
Mail::SpamAssassin::SQLBasedAddrList Net::CIDR::Lite Sys::Hostname::Long
DBD::mysql Mail::SpamAssassin::BayesStore::PgSQL IP::Country::Fast
Image::Info Image::Info::GIF Image::Info::JPEG Image::Info::PNG
Image::Info::TIFF Mail::SPF::Query
May 22 10:47:51.853 FBSD70VM.v-pe.de /usr/local/sbin/amavisd[81036]:
SpamControl: init_pre_chroot on SpamAssassin done
May 22 10:47:51.854 FBSD70VM.v-pe.de /usr/local/sbin/amavisd[81036]:
Net::Server: 2008/05/22-10:47:51 Amavis (type Net::Server::PreForkSimple)
starting! pid(81036)
May 22 10:47:51.862 FBSD70VM.v-pe.de /usr/local/sbin/amavisd[81036]:
Net::Server: Binding to UNIX socket file /var/amavis/amavisd.sock using
SOCK_STREAM
May 22 10:47:51.863 FBSD70VM.v-pe.de /usr/local/sbin/amavisd[81036]:
Net::Server: Binding to TCP port 10024 on host 127.0.0.1
May 22 10:47:51.864 FBSD70VM.v-pe.de /usr/local/sbin/amavisd[81036]:
Net::Server: Group Not Defined. Defaulting to EGID '110 110'
May 22 10:47:51.865 FBSD70VM.v-pe.de /usr/local/sbin/amavisd[81036]:
Net::Server: User Not Defined. Defaulting to EUID '110'
May 22 10:47:51.865 FBSD70VM.v-pe.de /usr/local/sbin/amavisd[81036]:
Net::Server: Chrooting to /var/amavis
May 22 10:47:51.865 FBSD70VM.v-pe.de /usr/local/sbin/amavisd[81036]:
(!)Net::Server: 2008/05/22-10:47:51 Couldn't chroot to "/var/amavis":
Operation not permitted\n at line 523 in file
/usr/local/lib/perl5/site_perl/5.8.8/Net/Server.pm
May 22 10:47:51.865 FBSD70VM.v-pe.de /usr/local/sbin/amavisd[81036]:
Net::Server: 2008/05/22-10:47:51 Server closing!
[root@FBSD70VM ~]#

I guess Net::Server tries to chroot as non-root (GID/UID vscan) which
according to "man 2 chroot" is not allowed:

[root@BSDHelmut ~]# man 2 chroot
CHROOT(2) FreeBSD System Calls Manual
CHROOT(2)
[..]
This call is restricted to the super-user.
[...]
[root@BSDHelmut ~]#

Any way to get amavisd-new 2.6 up and running on *BSD systems?

Thanks, Helmut

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/...fo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

permalink · #2 (**permalink**) 05-27-2008

Helmut,

> on *BSD (at least tested with FreeBSD 6.x and 7.x and OpenBSD 4.3)
> amavisd-new does not run chrooted:
>
> I guess Net::Server tries to chroot as non-root (GID/UID vscan) which
> according to "man 2 chroot" is not allowed:

Indeed, thanks for a bug report, amavisd-new-2.6.0 drops privileges
too early. Until I have this fixed, please provide a chroot directory
through a command line using option -R, e.g.:

# amavisd -R /var/amavis

Btw, I see that the following change is needed too
when running chrooted with recent versions of NetAddr::IP :

--- amavisd.orig 2008-04-23 20:50:05.000000000 +0200
+++ amavisd 2008-05-27 19:41:48.000000000 +0200
@@ -20087,6 +20087,6 @@
Mail::SPF::SenderIPAddrMech
Mail::SPF::v1::Record Mail::SPF::v2::Record
- NetAddr::IP NetAddr::IP::Util
- auto::NetAddr::IP::Util::inet_n2dx auto::NetAddr::IP::Util::ipv6_n2d));
+ NetAddr::IP NetAddr::IP::Util auto::NetAddr::IP::Util::inet_n2dx
+ auto::NetAddr::IP::Util::ipv6_n2d auto::NetAddr::IP::Util::ipv6_n2x));
}
# the 3.2.0 could support the old Mail::SPF::Query too

Mark

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/...fo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

permalink · #3 (**permalink**) 05-27-2008

Mark Martinec <Mark.Martinec+amavis@ijs.si> wrote:
>> on *BSD (at least tested with FreeBSD 6.x and 7.x and OpenBSD 4.3)
>> amavisd-new does not run chrooted:
>>
>> I guess Net::Server tries to chroot as non-root (GID/UID vscan) which
>> according to "man 2 chroot" is not allowed:
>
> Indeed, thanks for a bug report, amavisd-new-2.6.0 drops privileges
> too early. Until I have this fixed, please provide a chroot directory
> through a command line using option -R, e.g.:
>
> # amavisd -R /var/amavis
>
> Btw, I see that the following change is needed too
> when running chrooted with recent versions of NetAddr::IP :
>
> --- amavisd.orig 2008-04-23 20:50:05.000000000 +0200
> +++ amavisd 2008-05-27 19:41:48.000000000 +0200
> @@ -20087,6 +20087,6 @@
> Mail::SPF::SenderIPAddrMech
> Mail::SPF::v1::Record Mail::SPF::v2::Record
> - NetAddr::IP NetAddr::IP::Util
> - auto::NetAddr::IP::Util::inet_n2dx
> auto::NetAddr::IP::Util::ipv6_n2d)); + NetAddr::IP
> NetAddr::IP::Util auto::NetAddr::IP::Util::inet_n2dx +
> auto::NetAddr::IP::Util::ipv6_n2d auto::NetAddr::IP::Util::ipv6_n2x)); }
> # the 3.2.0 could support the old Mail::SPF::Query too

afaics that one's fine, thanks.

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/...fo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

permalink · #4 (**permalink**) 05-28-2008

Helmut,

> > Indeed, thanks for a bug report, amavisd-new-2.6.0 drops privileges
> > too early. Until I have this fixed, please provide a chroot directory
> > through a command line using option -R, e.g.:
> > # amavisd -R /var/amavis

The following patch should fix the problem:

--- amavisd.orig 2008-04-23 20:50:05.000000000 +0200
+++ amavisd 2008-05-28 14:52:51.000000000 +0200
@@ -12550,6 +12550,5 @@

if ($> != 0 && $< != 0) {} # dropping of privs is not needed
-elsif (defined $daemon_chroot_dir_override &&
- $daemon_chroot_dir_override ne '') {
+elsif (defined $daemon_chroot_dir && $daemon_chroot_dir ne '') {
# dropping of privs now would prevent later chroot and is to be skipped
} else { # drop privileges, unless needed for chrooting

Mark

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/...fo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

permalink · #5 (**permalink**) 05-28-2008

Mark Martinec <Mark.Martinec+amavis@ijs.si> wrote:
> Helmut,
>
>>> Indeed, thanks for a bug report, amavisd-new-2.6.0 drops privileges
>>> too early. Until I have this fixed, please provide a chroot directory
>>> through a command line using option -R, e.g.:
>>> # amavisd -R /var/amavis
>
> The following patch should fix the problem:
>
> --- amavisd.orig 2008-04-23 20:50:05.000000000 +0200
> +++ amavisd 2008-05-28 14:52:51.000000000 +0200
> @@ -12550,6 +12550,5 @@
>
> if ($> != 0 && $< != 0) {} # dropping of privs is not needed
> -elsif (defined $daemon_chroot_dir_override &&
> - $daemon_chroot_dir_override ne '') {
> +elsif (defined $daemon_chroot_dir && $daemon_chroot_dir ne '') {
> # dropping of privs now would prevent later chroot and is to be skipped
> } else { # drop privileges, unless needed for chrooting

It does.

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/...fo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

permalink · #6 (**permalink**) 05-29-2008

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mark Martinec wrote:
|
| Indeed, thanks for a bug report, amavisd-new-2.6.0 drops privileges
| too early. Until I have this fixed, please provide a chroot directory
| through a command line using option -R, e.g.:
|
Another problem with 2.6.0 is that it drops privileges too early and
can't open pid file in /var/run.

- --
Tuomo Soini <tis@foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <http://foobar.fi/>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFIPkQXTlrZKzwul1ERArhIAJ4xmmtP5shABoea6LY6xZ ZPS9tAygCfUztN
EzDWJGhjoElYV6t/YwT6zNY=
=DKmb
-----END PGP SIGNATURE-----

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/...fo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

permalink · #7 (**permalink**) 05-29-2008

On Thu, May 29, 2008 at 08:50:15AM +0300, Tuomo Soini wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Mark Martinec wrote:
> |
> | Indeed, thanks for a bug report, amavisd-new-2.6.0 drops privileges
> | too early. Until I have this fixed, please provide a chroot directory
> | through a command line using option -R, e.g.:
> |
> Another problem with 2.6.0 is that it drops privileges too early and
> can't open pid file in /var/run.

Why /var/run? By default it's $MYHOME/amavisd.pid. From securitys point of
view, there is no reason to write files as root. Or to even start amavisd as
root if you are not chrooting.

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/...fo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

permalink · #8 (**permalink**) 05-29-2008

On Thursday 29 May 2008 09:06:18 Henrik K wrote:
> On Thu, May 29, 2008 at 08:50:15AM +0300, Tuomo Soini wrote:
> > Another problem with 2.6.0 is that it drops privileges too early and
> > can't open pid file in /var/run.
>
> Why /var/run? By default it's $MYHOME/amavisd.pid. From securitys point of
> view, there is no reason to write files as root. Or to even start amavisd
> as root if you are not chrooting.

Agreed. It is unlikely this would be changed back to a previous (more risky)
behaviour. It should be documented in release notes though - will do so.

When not running chrooted it is also less risky to specify '-u vscan'
as a command like option to amavis, or to start it as the as 'su vscan',

instead of starting it as root, letting it read its config file as root,
and only then drop privileges (this is necessary bacuse $daemon_user
setting is not known before reading a config file, unless overridden by -u).

Mark

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/...fo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

permalink · #9 (**permalink**) 05-30-2008

Henrik K <hege@hege.li> wrote:
> On Thu, May 29, 2008 at 08:50:15AM +0300, Tuomo Soini wrote:
>> Mark Martinec wrote:
>> |
>>> Indeed, thanks for a bug report, amavisd-new-2.6.0 drops privileges
>>> too early. Until I have this fixed, please provide a chroot directory
>>> through a command line using option -R, e.g.:
>> |
>> Another problem with 2.6.0 is that it drops privileges too early and
>> can't open pid file in /var/run.
>
> Why /var/run? By default it's $MYHOME/amavisd.pid. From securitys point of
> view, there is no reason to write files as root. Or to even start
> amavisd as root if you are not chrooting.

The directory a process is chrooted to should *never* be writable by the
process itself due to security reasons! I suggest changing
$MYHOME/amavisd.pid to something like $MYHOME/var/run/amavisd.pid.

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/...fo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode