Fwd: hardened gentoo mailman/postfix/apache notes?
---------- Forwarded Message ----------
Subject:hardened gentoo mailman/postfix/apache notes? Date:2008å¹´1月2æ—¥ 星期三 From:"Wang, Baojun" <wangbj@dslab.lzu.edu.cn> To:gentoo-hardened@gentoo.org hi folk: I'm configuring gentoo hardened for virtual mail hosting using postfix+pgsql basically following this document: http://www.gentoo.org/doc/en/virt-mail-howto.xml now the virtual email system is ok, but I have some problem with mailman and the mailman web interface(apache2), via `mail.log' I found postfix is unable to run the mailman script like: Jan 2 11:40:07 mail postfix/qmgr[17457]: B49BC108: from=<wangbj@dslab.lzu.edu.cn>, size=1784, nrcpt=1 (queue active) Jan 2 11:40:07 mail local[17601]: fatal: execvp /usr/local/mailman/mail/mailman: Permission denied Jan 2 11:40:07 mail postfix/local[17600]: B49BC108: to=<dslab-programming@mail.dslab.lzu.edu.cn>, orig_to=<dslab-programming@dslab.lzu.edu.cn>, relay=local, delay=2385, delays=2385/0.05/0/0.04, dsn=4.3.0, status=deferred (temporary failure. Command output: local: fatal: execvp /usr/local/mailman/mail/mailman: Permission denied ) for the mailman web interface, apache2 also have the simular problem: [Sat Dec 29 19:52:19 2007] [notice] Apache/2.2.6 (Unix) mod_ssl/2.2.6 OpenSSL/0.9.8g PHP/5.2.5-pl1-gentoo configured -- resuming normal operations [Sat Dec 29 19:52:34 2007] [error] (13)Permission denied: exec of '/usr/local/mailman/cgi-bin/listinfo' failed [Sat Dec 29 19:52:34 2007] [error] [client 60.165.13.245] Premature end of script headers: listinfo Now I think all the configuration is working but the permission have some problem, since I'm using gentoo hardened, I think the problems are because I'm using hardened gentoo, How can I solve this problem, and any hints? Wang -- Wang, Baojun Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â*Lanzhou University Distributed & Embedded System Lab Â* Â* Â* Â* Â* Â* Â*http://dslab.lzu.edu.cn School of Information Science and Engeneering Â* Â* wangbj_AT_lzu.edu.cn Tianshui South Road 222. Lanzhou 730000 Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* .P.R.China Tel:+86-931-8912025 Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â*Fax:+86-931-8912022 ------------------------------------------------------- -- Wang, Baojun Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â*Lanzhou University Distributed & Embedded System Lab Â* Â* Â* Â* Â* Â* Â*http://dslab.lzu.edu.cn School of Information Science and Engeneering Â* Â* wangbj_AT_lzu.edu.cn Tianshui South Road 222. Lanzhou 730000 Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* .P.R.China Tel:+86-931-8912025 Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â*Fax:+86-931-8912022 -- gentoo-hardened@gentoo.org mailing list |
Fwd: hardened gentoo mailman/postfix/apache notes?
On 2 Jan 2008 at 12:25, Wang, Baojun wrote:
> Now I think all the configuration is working but the permission have some > problem, since I'm using gentoo hardened, I think the problems are because > I'm using hardened gentoo, How can I solve this problem, and any hints? are there any grsec denial logs? are you using the RBAC system? if so, what's the policy that applies to apache/mailman? are the normal filesystem permissions fine (i.e., can you execute the denied binaries by hand at least)? -- gentoo-hardened@gentoo.org mailing list |
Fwd: hardened gentoo mailman/postfix/apache notes?
On 2 Jan 2008 at 22:09, Wang, Baojun wrote:
> Jan 2 12:20:07 mail [687055.942454] grsec: From 202.201.14.141: denied > untrusted exec of /usr/local/mailman/mail/mailman by /usr/lib/postfix/ > local[local:17733] uid/euid:280/280 gid/egid:280/280, > parent /usr/lib/postfix/local[local:17732] uid/euid:0/207 gid/egid:0/207 'untrusted exec' is a sign of your using TPE, i suggest you check the kernel help on it and make sure the access rights on the path leading up to the executables are proper (in particular, only root should be able to write to the executables). > or should I chown -R root:root /usr/local/mainman and chown a-S > /usr/local/manman? something like that will be needed, yes, but i don't know what exact permissions mailman needs to properly function, so be careful. -- gentoo-hardened@gentoo.org mailing list |
Fwd: hardened gentoo mailman/postfix/apache notes?
On Wednesday 02 January 2008 21:41:13, pageexec@freemail.hu wrote:
> On 2 Jan 2008 at 22:09, Wang, Baojun wrote: > > Jan 2 12:20:07 mail [687055.942454] grsec: From 202.201.14.141: denied > > untrusted exec of /usr/local/mailman/mail/mailman by /usr/lib/postfix/ > > local[local:17733] uid/euid:280/280 gid/egid:280/280, > > parent /usr/lib/postfix/local[local:17732] uid/euid:0/207 gid/egid:0/207 > > 'untrusted exec' is a sign of your using TPE, i suggest you check > the kernel help on it and make sure the access rights on the path > leading up to the executables are proper (in particular, only root > should be able to write to the executables). OK, I've check TPE, since I'm using Grsecurity level hardened gentoo, TPE is enabled by default, and I've configured the gid to trusted users to 10 (wheel), but mailman is 280, I'd like to leave it as it is, but I have to add 280 to tpe_gid, I've tried echo "10 280" > /proc/sys/kernel/grsecurity but after that only 280 is in the (proc) file, is there any way to add more than 1 group to tpe_gid? Also, even I echo 280 to /proc/sys/kernel/grsecurity, it still doesn't solve the problem, now the problem is solved by echo 0 > /proc/sys/kernel/grsecurity/tpe, but I wonder there is a better solution instead. > > or should I chown -R root:root /usr/local/mainman and chown a-S > > /usr/local/manman? > > something like that will be needed, yes, but i don't know what exact > permissions mailman needs to properly function, so be careful. I have also tried this, but mailman said it expect the program is invoked by group mailman ;-(, otherwise I need to configure mailman manually, I don't like to to that. -- Wang, Baojun Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â*Lanzhou University Distributed & Embedded System Lab Â* Â* Â* Â* Â* Â* Â*http://dslab.lzu.edu.cn School of Information Science and Engeneering Â* Â* wangbj_AT_lzu.edu.cn Tianshui South Road 222. Lanzhou 730000 Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* .P.R.China Tel:+86-931-8912025 Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â*Fax:+86-931-8912022 |
Fwd: hardened gentoo mailman/postfix/apache notes?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256 You should recompile your kernel and choose a different gid for tpe (anything above 1024 would be a good choice). Alternatively, you could turn the feature off. ;) brant williams FCAA CDCA 20BC 3925 D634 F5C4 7420 6784 4DEB 6002 On Thu, 3 Jan 2008, Wang, Baojun wrote: Date: Thu, 3 Jan 2008 00:11:10 +0800 From: "Wang, Baojun" <wangbj@lzu.edu.cn> Reply-To: gentoo-hardened@lists.gentoo.org To: gentoo-hardened@lists.gentoo.org Cc: pageexec@freemail.hu Subject: Re: [gentoo-hardened] Fwd: hardened gentoo mailman/postfix/apache notes? On Wednesday 02 January 2008 21:41:13, pageexec@freemail.hu wrote: On 2 Jan 2008 at 22:09, Wang, Baojun wrote: Jan 2 12:20:07 mail [687055.942454] grsec: From 202.201.14.141: denied untrusted exec of /usr/local/mailman/mail/mailman by /usr/lib/postfix/ local[local:17733] uid/euid:280/280 gid/egid:280/280, parent /usr/lib/postfix/local[local:17732] uid/euid:0/207 gid/egid:0/207 'untrusted exec' is a sign of your using TPE, i suggest you check the kernel help on it and make sure the access rights on the path leading up to the executables are proper (in particular, only root should be able to write to the executables). OK, I've check TPE, since I'm using Grsecurity level hardened gentoo, TPE is enabled by default, and I've configured the gid to trusted users to 10 (wheel), but mailman is 280, I'd like to leave it as it is, but I have to add 280 to tpe_gid, I've tried echo "10 280" > /proc/sys/kernel/grsecurity but after that only 280 is in the (proc) file, is there any way to add more than 1 group to tpe_gid? Also, even I echo 280 to /proc/sys/kernel/grsecurity, it still doesn't solve the problem, now the problem is solved by echo 0 > /proc/sys/kernel/grsecurity/tpe, but I wonder there is a better solution instead. or should I chown -R root:root /usr/local/mainman and chown a-S /usr/local/manman? something like that will be needed, yes, but i don't know what exact permissions mailman needs to properly function, so be careful. I have also tried this, but mailman said it expect the program is invoked by group mailman ;-(, otherwise I need to configure mailman manually, I don't like to to that. -- Wang, Baojun Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â*Lanzhou University Distributed & Embedded System Lab Â* Â* Â* Â* Â* Â* Â*http://dslab.lzu.edu.cn School of Information Science and Engeneering Â* Â* wangbj_AT_lzu.edu.cn Tianshui South Road 222. Lanzhou 730000 Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* .P.R.China Tel:+86-931-8912025 Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â*Fax:+86-931-8912022 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.7 (GNU/Linux) iD8DBQFHe7mTdCBnhE3rYAIRCBiLAJ0ZNESXK1VpolZFsUB2hX UMBsVXtgCcDJLy Syi39/Qu0Cl0gYAcmI4v1II= =pHDt -----END PGP SIGNATURE----- |
Fwd: hardened gentoo mailman/postfix/apache notes?
On Thursday 03 January 2008 00:19:27, brant williams wrote:
> You should recompile your kernel and choose a different gid for tpe > (anything above 1024 would be a good choice). Alternatively, you could > turn the feature off. ;) make sense, but using sysctl is ok since I've enable the sysctl features under grsecurity, should be something like: sysctl -w kernel.grsecurity.tpe=0 Thanks for help ;) Wang > brant williams > FCAA CDCA 20BC 3925 D634 F5C4 7420 6784 4DEB 6002 > > On Thu, 3 Jan 2008, Wang, Baojun wrote: > > Date: Thu, 3 Jan 2008 00:11:10 +0800 > > From: "Wang, Baojun" <wangbj@lzu.edu.cn> > > Reply-To: gentoo-hardened@lists.gentoo.org > > To: gentoo-hardened@lists.gentoo.org > > Cc: pageexec@freemail.hu > > Subject: Re: [gentoo-hardened] Fwd: hardened gentoo > > mailman/postfix/apache notes? > > > > On Wednesday 02 January 2008 21:41:13, pageexec@freemail.hu wrote: > > > >> On 2 Jan 2008 at 22:09, Wang, Baojun wrote: > >>> Jan 2 12:20:07 mail [687055.942454] grsec: From 202.201.14.141: denied > >>> untrusted exec of /usr/local/mailman/mail/mailman by /usr/lib/postfix/ > >>> local[local:17733] uid/euid:280/280 gid/egid:280/280, > >>> parent /usr/lib/postfix/local[local:17732] uid/euid:0/207 > >>> gid/egid:0/207 > >> > >> 'untrusted exec' is a sign of your using TPE, i suggest you check > >> the kernel help on it and make sure the access rights on the path > >> leading up to the executables are proper (in particular, only root > >> should be able to write to the executables). > > > > OK, I've check TPE, since I'm using Grsecurity level hardened gentoo, TPE > > is enabled by default, and I've configured the gid to trusted users to 10 > > (wheel), but mailman is 280, I'd like to leave it as it is, but I have to > > add 280 to tpe_gid, I've tried > > > > echo "10 280" > /proc/sys/kernel/grsecurity > > > > but after that only 280 is in the (proc) file, is there any way to add > > more than 1 group to tpe_gid? Also, even I echo 280 > > to /proc/sys/kernel/grsecurity, it still doesn't solve the problem, now > > the problem is solved by echo 0 > /proc/sys/kernel/grsecurity/tpe, but I > > wonder there is a better solution instead. > > > >>> or should I chown -R root:root /usr/local/mainman and chown a-S > >>> /usr/local/manman? > >> > >> something like that will be needed, yes, but i don't know what exact > >> permissions mailman needs to properly function, so be careful. > > > > I have also tried this, but mailman said it expect the program is invoked > > by group mailman ;-(, otherwise I need to configure mailman manually, I > > don't like to to that. > > > > -- > > Wang, Baojun ÂÂ* ÂÂ* ÂÂ* ÂÂ* ÂÂ* ÂÂ* ÂÂ* ÂÂ* ÂÂ* ÂÂ* ÂÂ* ÂÂ* ÂÂ* ÂÂ* ÂÂ* ÂÂ* ÂÂ* ÂÂ* ÂÂ* > > ÂÂ*Lanzhou University Distributed & Embedded System Lab ÂÂ* ÂÂ* ÂÂ* ÂÂ* ÂÂ* ÂÂ* > > ÂÂ*http://dslab.lzu.edu.cn School of Information Science and Engeneering > > ÂÂ* ÂÂ* wangbj_AT_lzu.edu.cn Tianshui South Road 222. Lanzhou 730000 ÂÂ* ÂÂ* > > ÂÂ* ÂÂ* ÂÂ* ÂÂ* ÂÂ* ÂÂ* ÂÂ* ÂÂ* .P.R.China Tel:+86-931-8912025 ÂÂ* ÂÂ* ÂÂ* ÂÂ* ÂÂ* ÂÂ* > > ÂÂ* ÂÂ* ÂÂ* ÂÂ* ÂÂ* ÂÂ* ÂÂ* ÂÂ* ÂÂ* ÂÂ*Fax:+86-931-8912022 -- Wang, Baojun Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â*Lanzhou University Distributed & Embedded System Lab Â* Â* Â* Â* Â* Â* Â*http://dslab.lzu.edu.cn School of Information Science and Engeneering Â* Â* wangbj_AT_lzu.edu.cn Tianshui South Road 222. Lanzhou 730000 Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* .P.R.China Tel:+86-931-8912025 Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â*Fax:+86-931-8912022 |
| All times are GMT. The time now is 03:05 AM. |
VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.