Rt-mailgate: Permission denied

Jeff_Melton · June 16, 2015, 3:33pm

I’m setting up a new RT server, and I’m having some trouble getting rt-mailgate to accept email piped from postfix.

`Command output: local: fatal: execvp /opt/rt4/bin/rt-mailgate: Permission denied`

Best I can tell, it’s likely to be a permissions issue. What owner, group and mode should RT be using? Are there any other gotchas I need to be looking at? (I’ve configured role, group and user permissions in the RT GUI.)

JM

Matt_Brennan · June 16, 2015, 3:54pm

On my system, the application is world executable. I don’t recall if that’s
the default or I changed it. I’m sure someone here will say that’s a bad
idea, security wise.

At a minimum, it needs to be executable by whatever user ID postfix is
running as. If you want to lock down the executable, you’d need to check
what user ID you have postfix running as and set the group to one which
contains that user ID (you’d also need to make sure it’s group executable).On Tue, Jun 16, 2015 at 11:33 AM, Jeff Melton jeff@ifworld.com wrote:

I’m setting up a new RT server, and I’m having some trouble getting
rt-mailgate to accept email piped from postfix.
Command output: local: fatal: execvp /opt/rt4/bin/rt-mailgate: Permission denied

Best I can tell, it’s likely to be a permissions issue. What owner, group
and mode should RT be using? Are there any other gotchas I need to be
looking at? (I’ve configured role, group and user permissions in the RT
GUI.)

JM

Jeff_Melton · June 16, 2015, 7:00pm

On my system, the application is world executable. I don’t recall if that’s
the default or I changed it. I’m sure someone here will say that’s a bad
idea, security wise.

At a minimum, it needs to be executable by whatever user ID postfix is
running as. If you want to lock down the executable, you’d need to check
what user ID you have postfix running as and set the group to one which
contains that user ID (you’d also need to make sure it’s group executable).

Thanks! The whole of /opt/rt4 is 755 right now, with everything executed by root. The postfix master process is owned by root; qmgr and pickup are owned by postfix. /opt/rt4 is root:www-data right now, but I’ve tried it root:root as well. I’ve tried adding the postfix user to the root and www-data groups, and that has no effect.

Joop1 · June 16, 2015, 7:25pm

I’m setting up a new RT server, and I’m having some trouble getting
rt-mailgate to accept email piped from postfix.
Command output: local: fatal: execvp /opt/rt4/bin/rt-mailgate: Permission denied

You don’t state which OS you’re using but if you’re using CentOS/Rhel
base/derived you could be facing a SELinux problem. Check
/var/log/messages /var/log/audit or see what happens if you run
setenforce 0.

Regards,

Joop

Jeff_Melton · June 16, 2015, 7:29pm

It’s Debian Wheezy. No SELinux in this case.On Tue, Jun 16, 2015 at 09:25:02PM +0200, Joop wrote:

On 16-6-2015 17:33, Jeff Melton wrote:

I’m setting up a new RT server, and I’m having some trouble getting
rt-mailgate to accept email piped from postfix.
Command output: local: fatal: execvp /opt/rt4/bin/rt-mailgate: Permission denied

You don’t state which OS you’re using but if you’re using CentOS/Rhel
base/derived you could be facing a SELinux problem. Check
/var/log/messages /var/log/audit or see what happens if you run
setenforce 0.

Regards,

Joop

Aaron_C_de_Bruyn · June 16, 2015, 7:39pm

AppArmor? (Or is that just Ubuntu?)

Also, is the postfix process running in a chroot?
Check /etc/postfix/master.cf to see if the service that is doing the
rt-mailgate delivery has a ‘y’ in the chroot column.

-AOn Tue, Jun 16, 2015 at 12:29 PM, Jeff Melton jeff@ifworld.com wrote:

It’s Debian Wheezy. No SELinux in this case.

On Tue, Jun 16, 2015 at 09:25:02PM +0200, Joop wrote:

On 16-6-2015 17:33, Jeff Melton wrote:

I’m setting up a new RT server, and I’m having some trouble getting
rt-mailgate to accept email piped from postfix.
Command output: local: fatal: execvp /opt/rt4/bin/rt-mailgate: Permission denied

You don’t state which OS you’re using but if you’re using CentOS/Rhel
base/derived you could be facing a SELinux problem. Check
/var/log/messages /var/log/audit or see what happens if you run
setenforce 0.

Regards,

Joop

Jeff_Melton · June 16, 2015, 7:50pm

It is chrooted, but when I s/-/n for all the chrooted processes in master.cf and restarted postfix, it didn’t make any difference. I just swapped the original master.cf back in.

I’ll update to add that my aliases were quoted incorrectly to begin with, and having changed that, the full error output now reads:

Command died with status 126: "/opt/rt4/bin/rt-mailgate --queue 'Network Support' --action correspond --url http://rt.ifworld.com". Command output: sh: 1: /opt/rt4/bin/rt-mailgate: Permission deniedOn Tue, Jun 16, 2015 at 12:39:15PM -0700, Aaron C. de Bruyn wrote:

AppArmor? (Or is that just Ubuntu?)

Also, is the postfix process running in a chroot?
Check /etc/postfix/master.cf to see if the service that is doing the
rt-mailgate delivery has a ‘y’ in the chroot column.

-A

On Tue, Jun 16, 2015 at 12:29 PM, Jeff Melton jeff@ifworld.com wrote:

It’s Debian Wheezy. No SELinux in this case.

On Tue, Jun 16, 2015 at 09:25:02PM +0200, Joop wrote:

On 16-6-2015 17:33, Jeff Melton wrote:

I’m setting up a new RT server, and I’m having some trouble getting
rt-mailgate to accept email piped from postfix.
Command output: local: fatal: execvp /opt/rt4/bin/rt-mailgate: Permission denied

You don’t state which OS you’re using but if you’re using CentOS/Rhel
base/derived you could be facing a SELinux problem. Check
/var/log/messages /var/log/audit or see what happens if you run
setenforce 0.

Regards,

Joop

Jeff_Melton · June 16, 2015, 8:34pm

I figured this out. I was using this project as an opportunity to try out plenv, but used /root/.plenv to set global Perl. When we set /root +x, it started working. Now I just need to figure out how best to fix it long-term.

Thanks, all.On Tue, Jun 16, 2015 at 12:39:15PM -0700, Aaron C. de Bruyn wrote:

AppArmor? (Or is that just Ubuntu?)

Also, is the postfix process running in a chroot?
Check /etc/postfix/master.cf to see if the service that is doing the
rt-mailgate delivery has a ‘y’ in the chroot column.

-A

On Tue, Jun 16, 2015 at 12:29 PM, Jeff Melton jeff@ifworld.com wrote:

It’s Debian Wheezy. No SELinux in this case.

On Tue, Jun 16, 2015 at 09:25:02PM +0200, Joop wrote:

On 16-6-2015 17:33, Jeff Melton wrote:

I’m setting up a new RT server, and I’m having some trouble getting
rt-mailgate to accept email piped from postfix.
Command output: local: fatal: execvp /opt/rt4/bin/rt-mailgate: Permission denied

You don’t state which OS you’re using but if you’re using CentOS/Rhel
base/derived you could be facing a SELinux problem. Check
/var/log/messages /var/log/audit or see what happens if you run
setenforce 0.

Regards,

Joop