RE: Security warning: using linuxconf(RedHat 6.2) and permissions of /usr/sbin/sendmail
Three things: First, linuxconf is NOT owned by RedHat. Therefore, it's not RedHat's problem. (You might want to convey your concerns to the linuxconf maintainers) Second, this is a GREAT example of why one might not want to trust someone else's RPM packages. Third, if installing qmail via LWQ, your /usr/sbin/sendmail might very well be symlinked to /var/qmail/bin/sendmail (I did it that way) Regards, Geordon (who has finally gone back to Slackware from RedHat) -Original Message- From: Peter Bieringer [mailto:[EMAIL PROTECTED]] Sent: Thursday, June 08, 2000 12:17 PM To: [EMAIL PROTECTED] Subject: Security warning: using linuxconf(RedHat 6.2) and permissions of /usr/sbin/sendmail Importance: High Hi, some days ago another guy mentioned that he has detected wrong permissions on his RedHat system using qmail at the wrapper "/usr/sbin/sendmail". I have reproduced this on 2 systems: Scenario: RedHat 6.2 (including linuxconf 1.17r2) sendmail-RPM deinstall qmail-SRPM build and install After original Qmail installation: /usr/sbin/sendmail 0755 root:qmail After adding a user with "linuxconf": /usr/sbin/sendmail 6755 root:root (suid,sgid!) That's really not Qmails intention that the wrapper runs now with suid root... So ***everyone using Qmail (or postfix also) on RedHat systems should do following check***: 1) Test if sendmail-RPM is really not installed: [root@mail /root]# rpm -qi sendmail package sendmail is not installed 2) check permissions of wrapper binary "/usr/sbin/sendmail" [root@mail /root]# ls -al /usr/sbin/sendmail BAD:-rwsr-sr-x1 root root 9748 Apr 27 20:13 /usr/sbin/sendmail GOOD: -rwxr-xr-x1 root mail 9748 Apr 27 20:13 /usr/sbin/sendmail 3) Re-secure, if BAD: [root@mail /root]# chown root:mail /usr/sbin/sendmail 4) Turnarounds to prevent re-insecuring: * do not use "linuxconf" anymore for adding users until RedHat has released a new version which do no longer reset the owner/group/permissions of "/usr/sbin/sendmail" (if it's not from the sendmail-RPM) * setup a cron script with does 3) as often as possible (i.e. all hours or shorter) Peter
FW: Ok, I'm an idiot...
I must have missed something when setting up my installation... I seem to have looped my "sendmail" around. Can someone help me un-fsck myself? castle:/var/qmail/bin# ls -la /var/qmail/bin lrwxrwxrwx 1 root root9 Jun 1 12:41 /var/qmail/bin - /usr/sbin castle:/var/qmail/bin# ls -la sendmail lrwxrwxrwx 1 root root 23 Jun 1 13:58 sendmail - /var/qmail/bin/sendmail I've spent half of today trying to find where in the docs to tell me what it SHOULD be. :/ Sigh. Would appreciate assistance (even just "RTFM appropriate document") Regards, Geordon Geordon VanTassle, MCP Ameritech IVRU Support Phone: 847-248-2590 Dark River.gif
RE: Qmail book??
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Yes, I have to agree with Dave (who authored LWQ). That document, if you read it CAREFULLY!!!, will most certainly get you up on qmail in a single evening. Now, since I DIDN'T read it carefully, I have to go back and fine out where I screwed it up Dave, thanks for such a great resource! - -Original Message- From: Dave Sill [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 23, 2000 2:18 PM To: [EMAIL PROTECTED] Subject: Re: Qmail book?? Rich Ferguson [EMAIL PROTECTED] wrote: I have heard that Qmail has advantages of Sendmail but is there a book of somesort on Qmail that will get me started at running a mail server? Try "Life with qmail": http://Web.InfoAve.Net/~dsill/lwq.html - -Dave -BEGIN PGP SIGNATURE- Version: PGP 6.5.1i for non-commercial use http://www.pgpi.com/ Comment: It's just like an envelope... iQA/AwUBONp+UqhTQhgLnpE/EQL3SACgysIrohTmSytHLgRYQwqvEF034PgAoIYD FATxLgByw2UCywYUrFGRE0Gy =CirV -END PGP SIGNATURE-
What did I mess up?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I was going through the "Life with qmail" document, and got to the point where I test the install. When I tried to execute "$PATH/qmail start" it reported an error to the effect of: env: multilog: fatal: unable to switch to current directory: access denied. no such file or directory Ok, where did I miss something? Thanks, Geordon -BEGIN PGP SIGNATURE- Version: PGP 6.5.1i for non-commercial use http://www.pgpi.com/ Comment: It's just like an envelope... iQA/AwUBONfop6hTQhgLnpE/EQILeACfS+aZZtdcCKqvmdS56+FCt6EwDowAn0HS FGnpsVaWgSVp0Wuc+jeK9Mok =ztps -END PGP SIGNATURE-
