pascal
12-23-2004, 12:10 AM
Hello
here is my pbm.
I use Centos 3.3 and I've tried to reinstall on my box spamassasin/clamav
(it was previously installed but the system has been reinstall as I have a dual xeon now)
I can't use qmail-scanner as I have an error during the ./configure that tell I can't do suid.
So i've installed the perl-suidperl rpm.
but it is the same think.
Here is the qmail-scanner FAQ :
A- Can't do suid: some perl distributions have decided that as running suid perl scripts is a rare event, they won't install/enable it by default. On these systems this package won't work. Typically the fix is:
chown root /usr/bin/suidperl
chmod 4711 /usr/bin/suidperl
...if suidperl exists, otherwise you will have to find that component package of perl to install (e.g under Redhat it's an RPM call perl-suidperl)
B- YOU HAVEN'T DISABLED SET-ID SCRIPTS IN THE KERNEL YET: some perl distributions have decided that running suid perl scripts is BAD, and they specifically don't support it. For these systems, you have no option but to either:
1-install setuid perl components - e.g. for Redhat there is a separate perl-suidperl RPM you have to install
2-install perl from source - compiling in setuid support, or
install a compiled setuid "wrapper" - which then calls qmail-scanner-queue.pl.
In the contrib directory there is an example C program, taken straight out of the perlsec manual. Check the Makefile and "make ; make install" as root. You must then remove the setuid setting on qmail-scanner-queue.pl:
chmod 0755 /var/qmail/bin/qmail-scanner-queue.pl
as the binary does that bit instead, and stop running perl as suidperl (i.e. "#!/usr/bin/perl" instead of "#!/usr/bin/suidperl").
I've done all the solutions.
When I use the wrapper the command "setuidgid qmaild /var/qmail/bin/qmail-scanner-queue.pl -g" works fine and give me the return :
perlscanner: generate new DB file from /var/spool/qmailscan/quarantine-attachments.txt
But when I try to send an email I have some erros in /var/log/maillog
Dec 23 05:41:47 padawan X-Qmail-Scanner-1.24: [] cannot open for write /var/spool/qmailscan/quarantine-attachments.db.tmp - Permission denied
Dec 23 05:42:12 padawan X-Qmail-Scanner-1.24: [] cannot create /var/spool/qmailscan/tmp - Permission denied
How could I use suidperl ???
I'm very surprised because before it was working.
Is there somewhere a conf file to tell suidperl is enable ?
What means this sentence "YOU HAVEN'T DISABLED SET-ID SCRIPTS IN THE KERNEL YET"
Maybe the pbm is something else but I already use my personnal FAQ to successfuly installed spamassasin 3.0 and clamav and I'd really like use suidperl.
Maybe the pbm come from the /service/smtp/run
It was like this :
QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
BLACKLIST=`cat /var/qmail/control/blacklists`
SMTPD="/var/qmail/bin/qmail-smtpd"
TCP_CDB="/etc/tcprules.d/tcp.smtp.cdb"
RBLSMTPD="/usr/bin/rblsmtpd"
HOSTNAME=`hostname`
VCHKPW="/home/vpopmail/bin/vchkpw"
exec /usr/bin/softlimit -m 15000000 \
/usr/bin/tcpserver -v -R -S -p -x $TCP_CDB -c "$MAXSMTPD" \
-u "$QMAILDUID" -g "$NOFILESGID" 0 smtp \
$RBLSMTPD $BLACKLIST $SMTPD $HOSTNAME $VCHKPW /bin/true 2>&1
and I updated it like this
QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
BLACKLIST=`cat /var/qmail/control/blacklists`
SMTPD="/var/qmail/bin/qmail-smtpd"
TCP_CDB="/etc/tcprules.d/tcp.smtp.cdb"
RBLSMTPD="/usr/bin/rblsmtpd"
HOSTNAME=`hostname`
VCHKPW="/home/vpopmail/bin/vchkpw"
QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl" export QMAILQUEUE
exec /usr/bin/softlimit -m 15000000 \
/usr/bin/tcpserver -v -R -S -p -x $TCP_CDB -c "$MAXSMTPD" \
-u "$QMAILDUID" -g "$NOFILESGID" 0 smtp \
$RBLSMTPD $BLACKLIST $SMTPD $HOSTNAME $VCHKPW /bin/true 2>&1
Heu ???? what would be the impact if I change
QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
to
QMAILDUID=`id -u qmaild`
NOFILESGID=`id -g qmaild`
Thanks for your help
Pascal
here is my pbm.
I use Centos 3.3 and I've tried to reinstall on my box spamassasin/clamav
(it was previously installed but the system has been reinstall as I have a dual xeon now)
I can't use qmail-scanner as I have an error during the ./configure that tell I can't do suid.
So i've installed the perl-suidperl rpm.
but it is the same think.
Here is the qmail-scanner FAQ :
A- Can't do suid: some perl distributions have decided that as running suid perl scripts is a rare event, they won't install/enable it by default. On these systems this package won't work. Typically the fix is:
chown root /usr/bin/suidperl
chmod 4711 /usr/bin/suidperl
...if suidperl exists, otherwise you will have to find that component package of perl to install (e.g under Redhat it's an RPM call perl-suidperl)
B- YOU HAVEN'T DISABLED SET-ID SCRIPTS IN THE KERNEL YET: some perl distributions have decided that running suid perl scripts is BAD, and they specifically don't support it. For these systems, you have no option but to either:
1-install setuid perl components - e.g. for Redhat there is a separate perl-suidperl RPM you have to install
2-install perl from source - compiling in setuid support, or
install a compiled setuid "wrapper" - which then calls qmail-scanner-queue.pl.
In the contrib directory there is an example C program, taken straight out of the perlsec manual. Check the Makefile and "make ; make install" as root. You must then remove the setuid setting on qmail-scanner-queue.pl:
chmod 0755 /var/qmail/bin/qmail-scanner-queue.pl
as the binary does that bit instead, and stop running perl as suidperl (i.e. "#!/usr/bin/perl" instead of "#!/usr/bin/suidperl").
I've done all the solutions.
When I use the wrapper the command "setuidgid qmaild /var/qmail/bin/qmail-scanner-queue.pl -g" works fine and give me the return :
perlscanner: generate new DB file from /var/spool/qmailscan/quarantine-attachments.txt
But when I try to send an email I have some erros in /var/log/maillog
Dec 23 05:41:47 padawan X-Qmail-Scanner-1.24: [] cannot open for write /var/spool/qmailscan/quarantine-attachments.db.tmp - Permission denied
Dec 23 05:42:12 padawan X-Qmail-Scanner-1.24: [] cannot create /var/spool/qmailscan/tmp - Permission denied
How could I use suidperl ???
I'm very surprised because before it was working.
Is there somewhere a conf file to tell suidperl is enable ?
What means this sentence "YOU HAVEN'T DISABLED SET-ID SCRIPTS IN THE KERNEL YET"
Maybe the pbm is something else but I already use my personnal FAQ to successfuly installed spamassasin 3.0 and clamav and I'd really like use suidperl.
Maybe the pbm come from the /service/smtp/run
It was like this :
QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
BLACKLIST=`cat /var/qmail/control/blacklists`
SMTPD="/var/qmail/bin/qmail-smtpd"
TCP_CDB="/etc/tcprules.d/tcp.smtp.cdb"
RBLSMTPD="/usr/bin/rblsmtpd"
HOSTNAME=`hostname`
VCHKPW="/home/vpopmail/bin/vchkpw"
exec /usr/bin/softlimit -m 15000000 \
/usr/bin/tcpserver -v -R -S -p -x $TCP_CDB -c "$MAXSMTPD" \
-u "$QMAILDUID" -g "$NOFILESGID" 0 smtp \
$RBLSMTPD $BLACKLIST $SMTPD $HOSTNAME $VCHKPW /bin/true 2>&1
and I updated it like this
QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
BLACKLIST=`cat /var/qmail/control/blacklists`
SMTPD="/var/qmail/bin/qmail-smtpd"
TCP_CDB="/etc/tcprules.d/tcp.smtp.cdb"
RBLSMTPD="/usr/bin/rblsmtpd"
HOSTNAME=`hostname`
VCHKPW="/home/vpopmail/bin/vchkpw"
QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl" export QMAILQUEUE
exec /usr/bin/softlimit -m 15000000 \
/usr/bin/tcpserver -v -R -S -p -x $TCP_CDB -c "$MAXSMTPD" \
-u "$QMAILDUID" -g "$NOFILESGID" 0 smtp \
$RBLSMTPD $BLACKLIST $SMTPD $HOSTNAME $VCHKPW /bin/true 2>&1
Heu ???? what would be the impact if I change
QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
to
QMAILDUID=`id -u qmaild`
NOFILESGID=`id -g qmaild`
Thanks for your help
Pascal