FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo Hardened

 
 
LinkBack Thread Tools
 
Old 01-02-2008, 01:26 PM
"Wang, Baojun"
 
Default Fwd: Fwd: hardened gentoo mailman/postfix/apache notes?

---------- Forwarded Message ----------

Subject:Re: [gentoo-hardened] Fwd: hardened gentoo mailman/postfix/apache
notes?
Date:2008年1月2日 星期三
From:"Wang, Baojun" <wangbj@dslab.lzu.edu.cn>
To:gentoo-hardened@lists.gentoo.org

On Wednesday 02 January 2008 20:38:33, pageexec@freemail.hu wrote:
> On 2 Jan 2008 at 12:25, Wang, Baojun wrote:
> > Now I think all the configuration is working but the permission have some
> > problem, since I'm using gentoo hardened, I think the problems are
> > because I'm using hardened gentoo, How can I solve this problem, and any
> > hints?
>
> are there any grsec denial logs? are you using the RBAC system?
> if so, what's the policy that applies to apache/mailman? are the
> normal filesystem permissions fine (i.e., can you execute the
> denied binaries by hand at least)?

in /var/log/kern.log

...
Jan 2 12:20:07 mail [687055.942454] grsec: From 202.201.14.141: denied
untrusted exec of /usr/local/mailman/mail/mailman by /usr/lib/postfix/
local[local:17733] uid/euid:280/280 gid/egid:280/280,
parent /usr/lib/postfix/local[local:17732] uid/euid:0/207 gid/egid:0/207
...

mail ~ # id postfix
uid=207(postfix) gid=207(postfix) groups=207(postfix),12(mail)
mail ~ # id mailman
uid=280(mailman) gid=280(mailman) groups=280(mailman),16(cron)

in /var/log/kern.log

...
Jan 2 22:01:18 mail [721866.753519] grsec: From 202.201.0.151: chdir
to /usr/local/mailman/cgi-bin by /usr/sbin/apache2[apache2:26412]
uid/euid:81/81 gid/egid:81/81, parent /usr/sbin/apache2[apache2:25004]
uid/euid:81/81 gid/egid:81/81
Jan 2 22:01:18 mail [721866.753736] grsec: From 202.201.0.151: denied
untrusted exec of /usr/local/mailman/cgi-bin/listinfo by /usr/sbin/apache2
[apache2:26412] uid/euid:81/81 gid/egid:81/81, parent /usr/sbin/apache2
[apache2:25004] uid/euid:81/81 gid/egid:81/81
...

grsec/pax are used, but not RBAC, sounds like that the `mailman' script
refused to run with different uid/gid of the executable, I've added postfix
and apache to the mailman group, but doesn't solve the problem. or should I
chown -R root:root /usr/local/mainman and chown a-S /usr/local/manman?

--
Wang, Baojun * * * * * * * * * * * * * * * * * * * *Lanzhou University
Distributed & Embedded System Lab * * * * * * *http://dslab.lzu.edu.cn
School of Information Science and Engeneering * * wangbj_AT_lzu.edu.cn
Tianshui South Road 222. Lanzhou 730000 * * * * * * * * * * .P.R.China
Tel:+86-931-8912025 * * * * * * * * * * * * * * * *Fax:+86-931-8912022

-------------------------------------------------------

--
Wang, Baojun * * * * * * * * * * * * * * * * * * * *Lanzhou University
Distributed & Embedded System Lab * * * * * * *http://dslab.lzu.edu.cn
School of Information Science and Engeneering * * wangbj_AT_lzu.edu.cn
Tianshui South Road 222. Lanzhou 730000 * * * * * * * * * * .P.R.China
Tel:+86-931-8912025 * * * * * * * * * * * * * * * *Fax:+86-931-8912022
--
gentoo-hardened@gentoo.org mailing list
 

Thread Tools




All times are GMT. The time now is 01:53 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org