Qmail suid issue

Jaime · September 17, 2001, 3:13am

I think that I have RT 2.0.6 running … mostly. Unfortunately,
I’m having some problems with qmail’s aliases running correctly. I have
the following in my /var/log/maillog file:

Sep 16 23:08:44 zeus qmail: 1000696124.405419 new msg 127066
Sep 16 23:08:44 zeus qmail: 1000696124.406082 info msg 127066: bytes 556 from jkikpole@cairodurham.org qp 13153 uid 82
Sep 16 23:08:44 zeus qmail: 1000696124.604818 starting delivery 1878: msg 127066 to local rt@cairodurham.org
Sep 16 23:08:44 zeus qmail: 1000696124.605634 status: local 1/10 remote 1/20
Sep 16 23:08:44 zeus qmail: 1000696124.626533 delivery 1878: deferral: Can’t_do_setuid/
Sep 16 23:08:44 zeus qmail: 1000696124.626982 status: local 0/10 remote 1/20

…and there’s this…

zeus:rt>cat .qmail
|/usr/local/rt-2-0-6/bin/rt-mailgate --queue general --action correspond
zeus:rt>cat .qmail-comment
|/usr/local/rt-2-0-6/bin/rt-mailgate --queue general --action comment

…and this…

zeus:rt>ls -l /usr/local/rt-2-0-6/bin/
total 78
-rwxr-sr-x 1 root rt 5150 Sep 15 04:22 mason_handler.fcgi
-rwxr-sr-x 1 root rt 4664 Sep 15 04:22 mason_handler.scgi
-rwxr-sr-x 1 root rt 29495 Sep 15 04:22 rt
-rwxr-sr-x 1 root rt 8447 Sep 15 04:22 rt-mailgate
-rwxr-sr-x 1 root rt 23799 Sep 15 04:22 rtadmin
-rwxr-xr-x 1 root rt 4469 Sep 15 04:22 webmux.pl

Any ideas?

						Jaime

P.S. - So far I am very impressed!

“[A]s we enjoy great advantages from the inventions of others, we should
be glad of an opportunity to serve others by any invention of ours; and
this we should do freely and generously.” – Ben Franklin,
http://earlyamerica.com/lives/franklin/chapt10/index.html

Jaime · September 17, 2001, 3:37am

I don’t know if this helps, but I found some email archives
refering to setuid perl (which is new to me) and found this:

zeus:bin>ls -l sperl5*
-r-x–s–x 3 root wheel 50816 Sep 14 18:26 sperl5
-r-x–s–x 3 root wheel 50816 Sep 14 18:26 sperl5.00503
zeus:bin>pwd
/usr/bin

Hope that helps generate some ideas.  :)  Any help is appreciated.

						TIA,
						Jaime

“[A]s we enjoy great advantages from the inventions of others, we should
be glad of an opportunity to serve others by any invention of ours; and
this we should do freely and generously.” – Ben Franklin,
http://earlyamerica.com/lives/franklin/chapt10/index.html

Harald_Wagener1 · September 17, 2001, 7:59am

Jaime wrote:

    I don't know if this helps, but I found some email archives
refering to setuid perl (which is new to me) and found this:

zeus:bin>ls -l sperl5*
-r-x–s–x 3 root wheel 50816 Sep 14 18:26 sperl5
-r-x–s–x 3 root wheel 50816 Sep 14 18:26 sperl5.00503
zeus:bin>pwd
/usr/bin
    Hope that helps generate some ideas.  :)  Any help is appreciated.

                                                    TIA,
                                                    Jaime

Hello Jaime,
it’s always helpful to include which distribution Your linux installation is based
on
(if it’s linux - could be Solaris or BSD as well, which would mean others could be
more
of help than me).

Anyway, it seems that Your sperl does have the sgid bit set, but not the suid bit.
You can change this by issuing the command

chmod u+s /usr/bin/sperl*

After that, things should be up and running (bar any other errors).

Regards,
Harald
Harald Wagener | Systemadministrator
FCB/Wilkens GmbH | Tel.:+49-40-2881-1252
An der Alster 42 | Fax.:+49-40-2881-1263
20099 Hamburg | http://www.fcb-wilkens.com

Jaime · September 17, 2001, 10:29am

it’s always helpful to include which distribution Your linux
installation is based on (if it’s linux - could be Solaris or BSD as
well, which would mean others could be more of help than me).

zeus:jkikpole>uname -a
FreeBSD zeus.cairodurham.org 4.4-STABLE FreeBSD 4.4-STABLE #2: Fri Sep 14 17:12:19 EDT 2001
jkikpole@zeus.cairodurham.org:/usr/obj/usr/src/sys/ZEUS i386

Anyway, it seems that Your sperl does have the sgid bit set, but not
the suid bit. You can change this by issuing the command

chmod u+s /usr/bin/sperl*

After that, things should be up and running (bar any other errors).

I noticed that it started with mode 0511.  According to a search

of the FreeBSD mailing list archives, this was by design but it wasn’t
clear why it was done. Security issues, I imagine.

I've tried changing the modes to 2511, 4511, and 6511.  Each of

them generated errors, though 6511 was different than the others. The
/var/log/maillog file shows the following when I try to use mode 6511:

Sep 17 06:25:18 zeus qmail: 1000722318.388007 new msg 127072
Sep 17 06:25:18 zeus qmail: 1000722318.388728 info msg 127072: bytes 556 from jkikpole@cairodurham.org qp 15519 uid 82
Sep 17 06:25:18 zeus qmail: 1000722318.587631 starting delivery 2169: msg 127072 to local rt@cairodurham.org
Sep 17 06:25:18 zeus qmail: 1000722318.588554 status: local 1/10 remote 0/20
Sep 17 06:25:22 zeus qmail: 1000722322.258324 delivery 2169: deferral: Can’t_write_to_‘/var/log/rt2/rt.log.15524.1162’:Permission_denied_at/usr/local/lib/perl5/site_perl/5.005/Log/Dispatch/File.pm_line_69./
Sep 17 06:25:22 zeus qmail: 1000722322.259643 status: local 0/10 remote 0/20

....and ls -l /var/log shows:

drwx------ 2 nobody nobody 512 Sep 16 22:51 rt2

Unfortunately, this looks like I need to change the mode of

/var/log/rt2 to something that qmail likes. I say “unfortunately” because
I had to change the ownership to nobody in order to get the web GUI to
work.

Am I missing something really obvious?  Maybe a chown/chgrp/chmod

combination for /var/log/rt2 that would work?

						Jaime

Jaime · September 17, 2001, 10:45am

Am I missing something really obvious? Maybe a chown/chgrp/chmod
combination for /var/log/rt2 that would work?

OK, I think that I got it.  My httpd runs as nobody.  So I tried:

zeus:jkikpole>ls -l /var/log/ | grep rt2
drwxrw---- 2 nobody rt 512 Sep 17 06:32 rt2
zeus:jkikpole>ls -l /usr/bin/sperl5*
-r-s–s–x 3 root wheel 50816 Sep 14 18:26 /usr/bin/sperl5
-r-s–s–x 3 root wheel 50816 Sep 14 18:26 /usr/bin/sperl5.00503

Now it seems to be working.  Two tests sent to rt@... have made

their way into my general queue now. I assume that the others are held up
in the queue since they’ve been failing delivery for several hours.

Thanks for the help!  If something about the above looks

dangerous, please let me know.

						Jaime

“[A]s we enjoy great advantages from the inventions of others, we should
be glad of an opportunity to serve others by any invention of ours; and
this we should do freely and generously.” – Ben Franklin,
http://earlyamerica.com/lives/franklin/chapt10/index.html

Martin_Schapendonk1 · September 17, 2001, 11:45am

OK, I think that I got it. My httpd runs as nobody. So I tried:

zeus:jkikpole>ls -l /var/log/ | grep rt2

drwxrw---- 2 nobody rt 512 Sep 17 06:32 rt2

I think you need another ‘x’ here (mode 770), otherwise the rt-group
will be denied a directory listing. On the other hand, rt probably never
does a directory listing on its log directory, so you could leave it as
it is without trouble.

Martin

Martin Schapendonk, martin@schapendonk.org, Phone: +31 (0)6 55770237
Student Information Systems and Management at Tilburg University

Jaime · September 18, 2001, 2:32am

I think you need another ‘x’ here (mode 770), otherwise the rt-group

I eventually found this.  You're right, it was needed.  FWIW,

here’s the current status:
zeus:jkikpole>ls -l /var/log | grep rt2
drwxrwx— 2 nobody rt 512 Sep 17 08:23 rt2

						Jaime