Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Gentoo Hardened (http://www.linux-archive.org/gentoo-hardened/)
-   -   Fwd: hardened gentoo mailman/postfix/apache notes? (http://www.linux-archive.org/gentoo-hardened/26573-fwd-hardened-gentoo-mailman-postfix-apache-notes.html)

"Wang, Baojun" 01-02-2008 03:25 AM

Fwd: hardened gentoo mailman/postfix/apache notes?
 
---------- Forwarded Message ----------

Subject:hardened gentoo mailman/postfix/apache notes?
Date:2008年1月2日 星期三
From:"Wang, Baojun" <wangbj@dslab.lzu.edu.cn>
To:gentoo-hardened@gentoo.org

hi folk:

I'm configuring gentoo hardened for virtual mail hosting using postfix+pgsql
basically following this document:
http://www.gentoo.org/doc/en/virt-mail-howto.xml
now the virtual email system is ok, but I have some problem with mailman and
the mailman web interface(apache2), via `mail.log' I found postfix is unable
to run the mailman script like:

Jan 2 11:40:07 mail postfix/qmgr[17457]: B49BC108:
from=<wangbj@dslab.lzu.edu.cn>, size=1784, nrcpt=1 (queue active)
Jan 2 11:40:07 mail local[17601]: fatal:
execvp /usr/local/mailman/mail/mailman: Permission denied
Jan 2 11:40:07 mail postfix/local[17600]: B49BC108:
to=<dslab-programming@mail.dslab.lzu.edu.cn>,
orig_to=<dslab-programming@dslab.lzu.edu.cn>, relay=local, delay=2385,
delays=2385/0.05/0/0.04, dsn=4.3.0, status=deferred (temporary failure.
Command output: local: fatal: execvp /usr/local/mailman/mail/mailman:
Permission denied )

for the mailman web interface, apache2 also have the simular problem:

[Sat Dec 29 19:52:19 2007] [notice] Apache/2.2.6 (Unix) mod_ssl/2.2.6
OpenSSL/0.9.8g PHP/5.2.5-pl1-gentoo configured -- resuming normal operations
[Sat Dec 29 19:52:34 2007] [error] (13)Permission denied: exec
of '/usr/local/mailman/cgi-bin/listinfo' failed
[Sat Dec 29 19:52:34 2007] [error] [client 60.165.13.245] Premature end of
script headers: listinfo


Now I think all the configuration is working but the permission have some
problem, since I'm using gentoo hardened, I think the problems are because
I'm using hardened gentoo, How can I solve this problem, and any hints?

Wang
--
Wang, Baojun * * * * * * * * * * * * * * * * * * * *Lanzhou University
Distributed & Embedded System Lab * * * * * * *http://dslab.lzu.edu.cn
School of Information Science and Engeneering * * wangbj_AT_lzu.edu.cn
Tianshui South Road 222. Lanzhou 730000 * * * * * * * * * * .P.R.China
Tel:+86-931-8912025 * * * * * * * * * * * * * * * *Fax:+86-931-8912022

-------------------------------------------------------

--
Wang, Baojun * * * * * * * * * * * * * * * * * * * *Lanzhou University
Distributed & Embedded System Lab * * * * * * *http://dslab.lzu.edu.cn
School of Information Science and Engeneering * * wangbj_AT_lzu.edu.cn
Tianshui South Road 222. Lanzhou 730000 * * * * * * * * * * .P.R.China
Tel:+86-931-8912025 * * * * * * * * * * * * * * * *Fax:+86-931-8912022
--
gentoo-hardened@gentoo.org mailing list

01-02-2008 11:38 AM

Fwd: hardened gentoo mailman/postfix/apache notes?
 
On 2 Jan 2008 at 12:25, Wang, Baojun wrote:

> Now I think all the configuration is working but the permission have some
> problem, since I'm using gentoo hardened, I think the problems are because
> I'm using hardened gentoo, How can I solve this problem, and any hints?

are there any grsec denial logs? are you using the RBAC system?
if so, what's the policy that applies to apache/mailman? are the
normal filesystem permissions fine (i.e., can you execute the
denied binaries by hand at least)?

--
gentoo-hardened@gentoo.org mailing list

01-02-2008 12:41 PM

Fwd: hardened gentoo mailman/postfix/apache notes?
 
On 2 Jan 2008 at 22:09, Wang, Baojun wrote:

> Jan 2 12:20:07 mail [687055.942454] grsec: From 202.201.14.141: denied
> untrusted exec of /usr/local/mailman/mail/mailman by /usr/lib/postfix/
> local[local:17733] uid/euid:280/280 gid/egid:280/280,
> parent /usr/lib/postfix/local[local:17732] uid/euid:0/207 gid/egid:0/207

'untrusted exec' is a sign of your using TPE, i suggest you check
the kernel help on it and make sure the access rights on the path
leading up to the executables are proper (in particular, only root
should be able to write to the executables).

> or should I chown -R root:root /usr/local/mainman and chown a-S
> /usr/local/manman?

something like that will be needed, yes, but i don't know what exact
permissions mailman needs to properly function, so be careful.

--
gentoo-hardened@gentoo.org mailing list

"Wang, Baojun" 01-02-2008 03:11 PM

Fwd: hardened gentoo mailman/postfix/apache notes?
 
On Wednesday 02 January 2008 21:41:13, pageexec@freemail.hu wrote:
> On 2 Jan 2008 at 22:09, Wang, Baojun wrote:
> > Jan 2 12:20:07 mail [687055.942454] grsec: From 202.201.14.141: denied
> > untrusted exec of /usr/local/mailman/mail/mailman by /usr/lib/postfix/
> > local[local:17733] uid/euid:280/280 gid/egid:280/280,
> > parent /usr/lib/postfix/local[local:17732] uid/euid:0/207 gid/egid:0/207
>
> 'untrusted exec' is a sign of your using TPE, i suggest you check
> the kernel help on it and make sure the access rights on the path
> leading up to the executables are proper (in particular, only root
> should be able to write to the executables).

OK, I've check TPE, since I'm using Grsecurity level hardened gentoo, TPE is
enabled by default, and I've configured the gid to trusted users to 10
(wheel), but mailman is 280, I'd like to leave it as it is, but I have to add
280 to tpe_gid, I've tried

echo "10 280" > /proc/sys/kernel/grsecurity

but after that only 280 is in the (proc) file, is there any way to add more
than 1 group to tpe_gid? Also, even I echo 280
to /proc/sys/kernel/grsecurity, it still doesn't solve the problem, now the
problem is solved by echo 0 > /proc/sys/kernel/grsecurity/tpe, but I wonder
there is a better solution instead.


> > or should I chown -R root:root /usr/local/mainman and chown a-S
> > /usr/local/manman?
>
> something like that will be needed, yes, but i don't know what exact
> permissions mailman needs to properly function, so be careful.

I have also tried this, but mailman said it expect the program is invoked by
group mailman ;-(, otherwise I need to configure mailman manually, I don't
like to to that.

--
Wang, Baojun * * * * * * * * * * * * * * * * * * * *Lanzhou University
Distributed & Embedded System Lab * * * * * * *http://dslab.lzu.edu.cn
School of Information Science and Engeneering * * wangbj_AT_lzu.edu.cn
Tianshui South Road 222. Lanzhou 730000 * * * * * * * * * * .P.R.China
Tel:+86-931-8912025 * * * * * * * * * * * * * * * *Fax:+86-931-8912022

brant williams 01-02-2008 03:19 PM

Fwd: hardened gentoo mailman/postfix/apache notes?
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


You should recompile your kernel and choose a different gid for tpe
(anything above 1024 would be a good choice). Alternatively, you could
turn the feature off. ;)



brant williams
FCAA CDCA 20BC 3925 D634 F5C4 7420 6784 4DEB 6002



On Thu, 3 Jan 2008, Wang, Baojun wrote:


Date: Thu, 3 Jan 2008 00:11:10 +0800
From: "Wang, Baojun" <wangbj@lzu.edu.cn>
Reply-To: gentoo-hardened@lists.gentoo.org
To: gentoo-hardened@lists.gentoo.org
Cc: pageexec@freemail.hu
Subject: Re: [gentoo-hardened] Fwd: hardened gentoo mailman/postfix/apache
notes?

On Wednesday 02 January 2008 21:41:13, pageexec@freemail.hu wrote:

On 2 Jan 2008 at 22:09, Wang, Baojun wrote:

Jan 2 12:20:07 mail [687055.942454] grsec: From 202.201.14.141: denied
untrusted exec of /usr/local/mailman/mail/mailman by /usr/lib/postfix/
local[local:17733] uid/euid:280/280 gid/egid:280/280,
parent /usr/lib/postfix/local[local:17732] uid/euid:0/207 gid/egid:0/207


'untrusted exec' is a sign of your using TPE, i suggest you check
the kernel help on it and make sure the access rights on the path
leading up to the executables are proper (in particular, only root
should be able to write to the executables).


OK, I've check TPE, since I'm using Grsecurity level hardened gentoo, TPE is
enabled by default, and I've configured the gid to trusted users to 10
(wheel), but mailman is 280, I'd like to leave it as it is, but I have to add
280 to tpe_gid, I've tried

echo "10 280" > /proc/sys/kernel/grsecurity

but after that only 280 is in the (proc) file, is there any way to add more
than 1 group to tpe_gid? Also, even I echo 280
to /proc/sys/kernel/grsecurity, it still doesn't solve the problem, now the
problem is solved by echo 0 > /proc/sys/kernel/grsecurity/tpe, but I wonder
there is a better solution instead.



or should I chown -R root:root /usr/local/mainman and chown a-S
/usr/local/manman?


something like that will be needed, yes, but i don't know what exact
permissions mailman needs to properly function, so be careful.


I have also tried this, but mailman said it expect the program is invoked by
group mailman ;-(, otherwise I need to configure mailman manually, I don't
like to to that.

--
Wang, Baojun * * * * * * * * * * * * * * * * * * * *Lanzhou University
Distributed & Embedded System Lab * * * * * * *http://dslab.lzu.edu.cn
School of Information Science and Engeneering * * wangbj_AT_lzu.edu.cn
Tianshui South Road 222. Lanzhou 730000 * * * * * * * * * * .P.R.China
Tel:+86-931-8912025 * * * * * * * * * * * * * * * *Fax:+86-931-8912022


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.7 (GNU/Linux)

iD8DBQFHe7mTdCBnhE3rYAIRCBiLAJ0ZNESXK1VpolZFsUB2hX UMBsVXtgCcDJLy
Syi39/Qu0Cl0gYAcmI4v1II=
=pHDt
-----END PGP SIGNATURE-----

"Wang, Baojun" 01-02-2008 03:39 PM

Fwd: hardened gentoo mailman/postfix/apache notes?
 
On Thursday 03 January 2008 00:19:27, brant williams wrote:
> You should recompile your kernel and choose a different gid for tpe
> (anything above 1024 would be a good choice). Alternatively, you could
> turn the feature off. ;)

make sense, but using sysctl is ok since I've enable the sysctl features under
grsecurity, should be something like:

sysctl -w kernel.grsecurity.tpe=0

Thanks for help ;)

Wang
> brant williams
> FCAA CDCA 20BC 3925 D634 F5C4 7420 6784 4DEB 6002
>
> On Thu, 3 Jan 2008, Wang, Baojun wrote:
> > Date: Thu, 3 Jan 2008 00:11:10 +0800
> > From: "Wang, Baojun" <wangbj@lzu.edu.cn>
> > Reply-To: gentoo-hardened@lists.gentoo.org
> > To: gentoo-hardened@lists.gentoo.org
> > Cc: pageexec@freemail.hu
> > Subject: Re: [gentoo-hardened] Fwd: hardened gentoo
> > mailman/postfix/apache notes?
> >
> > On Wednesday 02 January 2008 21:41:13, pageexec@freemail.hu wrote:
> >
> >> On 2 Jan 2008 at 22:09, Wang, Baojun wrote:
> >>> Jan 2 12:20:07 mail [687055.942454] grsec: From 202.201.14.141: denied
> >>> untrusted exec of /usr/local/mailman/mail/mailman by /usr/lib/postfix/
> >>> local[local:17733] uid/euid:280/280 gid/egid:280/280,
> >>> parent /usr/lib/postfix/local[local:17732] uid/euid:0/207
> >>> gid/egid:0/207
> >>
> >> 'untrusted exec' is a sign of your using TPE, i suggest you check
> >> the kernel help on it and make sure the access rights on the path
> >> leading up to the executables are proper (in particular, only root
> >> should be able to write to the executables).
> >
> > OK, I've check TPE, since I'm using Grsecurity level hardened gentoo, TPE
> > is enabled by default, and I've configured the gid to trusted users to 10
> > (wheel), but mailman is 280, I'd like to leave it as it is, but I have to
> > add 280 to tpe_gid, I've tried
> >
> > echo "10 280" > /proc/sys/kernel/grsecurity
> >
> > but after that only 280 is in the (proc) file, is there any way to add
> > more than 1 group to tpe_gid? Also, even I echo 280
> > to /proc/sys/kernel/grsecurity, it still doesn't solve the problem, now
> > the problem is solved by echo 0 > /proc/sys/kernel/grsecurity/tpe, but I
> > wonder there is a better solution instead.
> >
> >>> or should I chown -R root:root /usr/local/mainman and chown a-S
> >>> /usr/local/manman?
> >>
> >> something like that will be needed, yes, but i don't know what exact
> >> permissions mailman needs to properly function, so be careful.
> >
> > I have also tried this, but mailman said it expect the program is invoked
> > by group mailman ;-(, otherwise I need to configure mailman manually, I
> > don't like to to that.
> >
> > --
> > Wang, Baojun Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â*
> > Â*Lanzhou University Distributed & Embedded System Lab Â* Â* Â* Â* Â* Â*
> > Â*http://dslab.lzu.edu.cn School of Information Science and Engeneering
> > Â* Â* wangbj_AT_lzu.edu.cn Tianshui South Road 222. Lanzhou 730000 Â* Â*
> > Â* Â* Â* Â* Â* Â* Â* Â* .P.R.China Tel:+86-931-8912025 Â* Â* Â* Â* Â* Â*
> > Â* Â* Â* Â* Â* Â* Â* Â* Â* Â*Fax:+86-931-8912022



--
Wang, Baojun * * * * * * * * * * * * * * * * * * * *Lanzhou University
Distributed & Embedded System Lab * * * * * * *http://dslab.lzu.edu.cn
School of Information Science and Engeneering * * wangbj_AT_lzu.edu.cn
Tianshui South Road 222. Lanzhou 730000 * * * * * * * * * * .P.R.China
Tel:+86-931-8912025 * * * * * * * * * * * * * * * *Fax:+86-931-8912022


All times are GMT. The time now is 07:12 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.