RES: Can't do setuid

Presciliano_dos_Sant · December 3, 2001, 8:35pm

Aditional information:

Sendmail version: 8.11.1/8.8.7

#/etc/aliases
…
rt-comment: "|/usr/local/rt2/bin/rt-mailgate --queue general --action
comment"
rt: “|/usr/local/rt2/bin/rt-mailgate --queue general --action
correspond”
…
abuse-comment: "|/usr/local/rt2/bin/rt-mailgate --queue abuse --action
comment"
abuse: “|/usr/local/rt2/bin/rt-mailgate --queue abuse --action
correspond”
…

Thanks,

Presciliano

Presciliano_dos_Sant · December 4, 2001, 1:01pm

Bruce,

I’ve installed majordomo wrapper, but I’m not sure how to use it to solve my
problem. Can you please point me in the right direction ?

Thanks,

Presciliano

Bruce_Campbell · December 4, 2001, 1:46pm

( Subject changed to make it easier for people searching the archives )

This is a brief rundown on how to use a setuid program to invoke
rt-mailgate, when your OS’s perl cannot (or won’t) do setuid properly.

Firstly, compile and install RT.

Secondly, retrieve and extract majordomo from
ftp://ftp.greatcircle.com/pub/majordomo . I used version 1.94.5 for this.
I’ve also attached to this message a cut-down Makefile and the original
wrapper.c .

Thirdly, edit the Majordomo Makefile (or the attached one) and change the
following variables:

W_HOME = /path/to/rt2/bin
W_USER = NUMERIC_ID_OF_RT_USER
W_GROUP = NUMERIC_ID_OF_RT_GROUP

Next, run ‘make wrapper’, and ‘make install-wrapper’ as root.

Finally, put it in your /etc/aliases (or appropriate MTA location) as (on
one line of course):

rt-comment: "|/path/to/rt2/bin/wrapper rt-mailgate --queue
	QUEUE_NAME --action comment"

and
rt: “|/path/to/rt2/bin/wrapper rt-mailgate --queue
QUEUE_NAME --action correspond”

( Note that wrapper only looks for the program (1st argument) in the HOME
directory defined below. You don’t need to put
’/path/to/rt2/bin/rt-mailgate’ in the alias file )

When fault-finding, note that /path/to/rt2/bin/wrapper should be setuid,
be owned by root and the RT group, and the /path/to/rt2/bin should be
within the wrapper binary, ie:

$ strings -a /path/to/rt2/bin/wrapper
 HOME
HOME=/path/to/rt2/bin
    HOME is %s,

If HOME=/something/else, then you’ve probably ended up with your majordomo
version of wrapper.

Your next port of call is ensuring that /path/to/rt2/bin/rt-mailgate
/path/to/rt2/bin/rt-mailgate is executable by the RT user, that the
directory tree all the way to the / is accessible by the RT user, and the
perl indicated by the first ‘#!’ line is executable by the RT user. Then
further fault-find by judicious application of perl -c and checking that
the RT user can access all the libraries, including
/path/to/rt2/etc/config.pm .

I hope this helps.

Regards,

                         Bruce Campbell                            RIPE
                                                                    NCC
                                                             Operations

Makefile (2.64 KB)

wrapper.c (3.77 KB)

Ashley_Gould · December 5, 2001, 11:20pm

Don’t know the major domo stuff, but when I built perl 5.6.1, all the
suidperl issues vanished.

I built perl 5.6.1 with libperl as shared object:
develrt:/usr/local/build/perl-5.6.1 # sh Configure -Duseshrplib
develrt:/usr/local/build/perl-5.6.1 # make
develrt:/usr/local/build/perl-5.6.1 # make test
develrt:/usr/local/build/perl-5.6.1 # make install

ashleyOn Mon, Dec 03, 2001 at 06:35:06PM -0200, Presciliano dos Santos Neto wrote:

Aditional information:

Sendmail version: 8.11.1/8.8.7

#/etc/aliases
…
rt-comment: “|/usr/local/rt2/bin/rt-mailgate --queue general --action
comment”
rt: “|/usr/local/rt2/bin/rt-mailgate --queue general --action
correspond”
…
abuse-comment: “|/usr/local/rt2/bin/rt-mailgate --queue abuse --action
comment”
abuse: “|/usr/local/rt2/bin/rt-mailgate --queue abuse --action
correspond”
…

Thanks,

Presciliano

----- Mensagem original -----
De: Presciliano dos Santos Neto
Enviada em: Segunda-feira, 3 de Dezembro de 2001 15:19
Para: ‘rt-users@lists.fsck.com’
Assunto: [rt-users] Can’t do setuid

I’m running RT on Conectiva Linux, so I chmoded u+s /usr/bin/suidperl:

[root@pinguim bin]# ls -la /usr/bin/suidperl
-rwsr-xr-x 1 root root 694872 Sep 5 07:15 /usr/bin/suidperl

However, I still get the following error when sending an e-mail to the
queue:

----- The following addresses had permanent fatal errors -----
“|/usr/local/rt2/bin/rt-mailgate --queue abuse --action correspond”
(expanded from: abuse@security.telepar.net.br)

----- Transcript of session follows -----
Can’t do setuid
554 5.3.0 “|/usr/local/rt2/bin/rt-mailgate --queue abuse --action
correspond”… unknown mailer error 2

Any idea ?

Thanks,

Presciliano

rt-users mailing list
rt-users@lists.fsck.com
http://lists.fsck.com/mailman/listinfo/rt-users

rt-users mailing list
rt-users@lists.fsck.com
http://lists.fsck.com/mailman/listinfo/rt-users