perl-suidperl

Hello

here is my pbm.

I use Centos 3.3 and I’ve tried to reinstall on my box spamassasin/clamav
(it was previously installed but the system has been reinstall as I have a dual xeon now)

I can’t use qmail-scanner as I have an error during the ./configure that tell I can’t do suid.

So i’ve installed the perl-suidperl rpm.

but it is the same think.

Here is the qmail-scanner FAQ :

A- Can’t do suid: some perl distributions have decided that as running suid perl scripts is a rare event, they won’t install/enable it by default. On these systems this package won’t work. Typically the fix is:

chown root /usr/bin/suidperl
chmod 4711 /usr/bin/suidperl

…if suidperl exists, otherwise you will have to find that component package of perl to install (e.g under Redhat it’s an RPM call perl-suidperl)

B- YOU HAVEN’T DISABLED SET-ID SCRIPTS IN THE KERNEL YET: some perl distributions have decided that running suid perl scripts is BAD, and they specifically don’t support it. For these systems, you have no option but to either:
1-install setuid perl components - e.g. for Redhat there is a separate perl-suidperl RPM you have to install
2-install perl from source - compiling in setuid support, or
install a compiled setuid “wrapper” - which then calls qmail-scanner-queue.pl.

In the contrib directory there is an example C program, taken straight out of the perlsec manual. Check the Makefile and “make ; make install” as root. You must then remove the setuid setting on qmail-scanner-queue.pl:

chmod 0755 /var/qmail/bin/qmail-scanner-queue.pl

as the binary does that bit instead, and stop running perl as suidperl (i.e. “#!/usr/bin/perl” instead of “#!/usr/bin/suidperl”).

I’ve done all the solutions.

When I use the wrapper the command “setuidgid qmaild /var/qmail/bin/qmail-scanner-queue.pl -g” works fine and give me the return :
perlscanner: generate new DB file from /var/spool/qmailscan/quarantine-attachments.txt

But when I try to send an email I have some erros in /var/log/maillog

Dec 23 05:41:47 padawan X-Qmail-Scanner-1.24: [] cannot open for write /var/spool/qmailscan/quarantine-attachments.db.tmp - Permission denied
Dec 23 05:42:12 padawan X-Qmail-Scanner-1.24: [] cannot create /var/spool/qmailscan/tmp - Permission denied

How could I use suidperl ???

I’m very surprised because before it was working.

Is there somewhere a conf file to tell suidperl is enable ?
What means this sentence “YOU HAVEN’T DISABLED SET-ID SCRIPTS IN THE KERNEL YET”

Maybe the pbm is something else but I already use my personnal FAQ to successfuly installed spamassasin 3.0 and clamav and I’d really like use suidperl.

Maybe the pbm come from the /service/smtp/run

It was like this :

QMAILDUID=id -u vpopmail
NOFILESGID=id -g vpopmail
MAXSMTPD=cat /var/qmail/control/concurrencyincoming
BLACKLIST=cat /var/qmail/control/blacklists
SMTPD="/var/qmail/bin/qmail-smtpd"
TCP_CDB="/etc/tcprules.d/tcp.smtp.cdb"
RBLSMTPD="/usr/bin/rblsmtpd"
HOSTNAME=hostname
VCHKPW="/home/vpopmail/bin/vchkpw"

exec /usr/bin/softlimit -m 15000000
/usr/bin/tcpserver -v -R -S -p -x $TCP_CDB -c “$MAXSMTPD”
-u “$QMAILDUID” -g “$NOFILESGID” 0 smtp
$RBLSMTPD $BLACKLIST $SMTPD $HOSTNAME $VCHKPW /bin/true 2>&1

and I updated it like this

QMAILDUID=id -u vpopmail
NOFILESGID=id -g vpopmail
MAXSMTPD=cat /var/qmail/control/concurrencyincoming
BLACKLIST=cat /var/qmail/control/blacklists
SMTPD="/var/qmail/bin/qmail-smtpd"
TCP_CDB="/etc/tcprules.d/tcp.smtp.cdb"
RBLSMTPD="/usr/bin/rblsmtpd"
HOSTNAME=hostname
VCHKPW="/home/vpopmail/bin/vchkpw"

QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl" export QMAILQUEUE

exec /usr/bin/softlimit -m 15000000
/usr/bin/tcpserver -v -R -S -p -x $TCP_CDB -c “$MAXSMTPD”
-u “$QMAILDUID” -g “$NOFILESGID” 0 smtp
$RBLSMTPD $BLACKLIST $SMTPD $HOSTNAME $VCHKPW /bin/true 2>&1

Heu ??? what would be the impact if I change
QMAILDUID=id -u vpopmail
NOFILESGID=id -g vpopmail
to
QMAILDUID=id -u qmaild
NOFILESGID=id -g qmaild

Thanks for your help

Pascal

Is it normal that I Don’t have a qmaild group in /etc/group ?

What is the output of

ls -la /var/spool/qmailscan/tmp
ls -la /var/spool/qmailscan/

No, there isn’t supposed to be a qmaild group

Paul

Ok apparently it works.

I’ve used the wrapper witen in C located in /contrib

  • chmod 0755 /var/qmail/bin/qmail-scanner-queue.pl

Then I’ve updated the /service/smtp/run like this :

#!/bin/sh
QMAILDUID=id -u qmaild
NOFILESGID=id -g qmaild
MAXSMTPD=cat /var/qmail/control/concurrencyincoming
BLACKLIST=cat /var/qmail/control/blacklists
SMTPD="/var/qmail/bin/qmail-smtpd"
TCP_CDB="/etc/tcprules.d/tcp.smtp.cdb"
RBLSMTPD="/usr/bin/rblsmtpd"
HOSTNAME=hostname
VCHKPW="/home/vpopmail/bin/vchkpw"
QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue" export QMAILQUEUE
exec /usr/bin/softlimit -m 15000000
/usr/bin/tcpserver -v -R -S -p -x $TCP_CDB -c “$MAXSMTPD”
-u “$QMAILDUID” -g “$NOFILESGID” 0 smtp
$RBLSMTPD $BLACKLIST $SMTPD $HOSTNAME $VCHKPW /bin/true 2>&1

So I changed vpopmail to qmaild

QMAILDUID=id -u qmaild
NOFILESGID=id -g qmaild

and changed /var/qmail/bin/qmail-scanner-queue.pl by the wrapper /var/qmail/bin/qmail-scanner-queue

QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue" export QMAILQUEUE

and now I don’t have anymore error msg in /var/log/mailerror

[SIZE=3]But I’d really like to figure out why my suidperl doesn’t work at all !!! [/SIZE]
so if you have an idea it’s welcomed

Pascal

Paul,

Is there an impact to have changed
QMAILDUID=id -u vpopmail
NOFILESGID=id -g vpopmail

to
QMAILDUID=id -u qmaild
NOFILESGID=id -g qmaild

??

Thanks

Any idea for the suidperl ?

End : RESOLVED.

Ok for suidperl :
I’ve upgraded to a more recent version (5.8.0.xx) and now qmail-scanner works fine without having to use the wrapper.

Everything was working fine (spam are marked up, virus are deleted, …) but I’ve seen that I had some errors in /var/log/smtp/current

Error: Failed to read /var/qmail/control/sql

So I’ve updated on more time the /service/smtp/run file and put back the
QMAILDUID=id -u vpopmail
NOFILESGID=id -g vpopmail

more i’ve deleted the line :
QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl" export QMAILQUEUE

In fact I had wroten it here because I thought there was a pbm with vpopmail and qmail-scanner.
But apprently it has been solved in the latest vpopmail version.

So, as we use qmail, I’ve prefered setup qmail-scanner in the tcp rules.
So I’ve edited the file /etc/tcprules.d/tcp.smtp

No Qmail-Scanner at all for mail from 127.0.0.1

127.:allow,RELAYCLIENT="",RBLSMTPD="",QMAILQUEUE="/var/qmail/bin/qmail-queue"

Use Qmail-Scanner without SpamAssassin on any mail from the local network

[it triggers SpamAssassin via the presence of the RELAYCLIENT var]

65.110.36:allow,RELAYCLIENT="",RBLSMTPD="",QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl"

Use Qmail-Scanner with SpamAssassin on any mail from the rest of the world

:allow,QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl"

and run :
tcprules /etc/tcprules.d/tcp.smtp.cdb /etc/tcprules.d/tcp.smtp.tmp < /etc/tcprules.d/tcp.smtp

Now, apprently, everything works fine and I don’t have anymore error in /var/log/smtp/current

Then, If you’d like to install SPAMASSASSIN and CLAMAV, I may help you.
Pascal