Re: [AMaViS-user] amavisd-release and apache suexec
Mark, Thank you for your patience and time with this. I still haven't got it working. Mark Martinec wrote: amavisd-release need not run as any specific user, all it needs is an access to an inet or unix socket offered by amavisd. If run as root, it works fine. Run from the web script mailaction.php it does not. I guess it is not a suexec issue as amavisd-release does start, but then fails and logs Can't connect to UNIX socket /var/spool/amavisd/amavisd.sock: Permission denied at /usr/bin/amavisd-release line 206. I finally tried from a shell, su webadmin and then run the release command, that also fails with the socket permission error. srwxr-x--- 1 amavis amavis 0 Sep 17 17:19 /var/spool/amavisd/amavisd.sock -rwxr-xr-x 1 root root 9194 Sep 29 14:08 /usr/bin/amavisd-release What am I still doing wrong here?? Michael - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] amavisd-release and apache suexec
Michael,
amavisd-release need not run as any specific user, all it needs
is an access to an inet or unix socket offered by amavisd.
If run as root, it works fine. Run from the web script mailaction.php it
does not. I guess it is not a suexec issue as amavisd-release does
start, but then fails and logs
Can't connect to UNIX socket /var/spool/amavisd/amavisd.sock:
Permission denied at /usr/bin/amavisd-release line 206.
I finally tried from a shell, su webadmin and then run the release
command, that also fails with the socket permission error.
srwxr-x--- 1 amavis amavis 0 Sep 17 17:19 /var/spool/amavisd/amavisd.sock
You've answered yourself, it's a permission problem.
The easiest way out is to abandon Unix socket and use an inet socket
on a TCP port dedicated to releasing, e.g.:
$inet_socket_port = [10024,9998];
$unix_socketname = undef;
# used by amavisd-release utility of a new AM.PDP-based amavis-milter client
$interface_policy{'9998'} = 'AM.PDP-INET';
$policy_bank{'AM.PDP-INET'} = {
protocol = 'AM.PDP', # Amavis policy delegation protocol
inet_acl = [qw( 127.0.0.1 [::1])],
};
And in amavisd-release, change socket to:
$socketname = '127.0.0.1:9998';
Alternatively, modifying a file amavisd like this:
--- amavisd~2008-06-29 02:37:58.0 +0200
+++ amavisd 2008-10-02 16:28:44.0 +0200
@@ -8716,5 +8716,5 @@
### but before binding to sockets
sub post_configure_hook {
-# umask(0007); # affect protection of Unix sockets created by Net::Server
+ umask(0007); # affect protection of Unix sockets created by Net::Server
}
lets Net::Server create sockets as group-writable, which would
allow access to a mavisd-release client if its UID is added to
the amavis group (in /etc/group).
I've now created another subdomain in order to run mailaction.php using
suexec amavis and still get the same Permission denied error from
amavisd-release.
That I can not explain. It's all about classical Unix permissions,
unless some mandatory access controls are in place.
Mark
-
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100url=/
___
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] amavisd-release and apache suexec [SOLVED]
Mark Martinec wrote:
Michael
amavisd-release need not run as any specific user, all it needs
is an access to an inet or unix socket offered by amavisd.
If run as root, it works fine. Run from the web script mailaction.php it
does not. I guess it is not a suexec issue as amavisd-release does
start, but then fails and logs
Can't connect to UNIX socket /var/spool/amavisd/amavisd.sock:
Permission denied at /usr/bin/amavisd-release line 206.
I finally tried from a shell, su webadmin and then run the release
command, that also fails with the socket permission error.
srwxr-x--- 1 amavis amavis 0 Sep 17 17:19 /var/spool/amavisd/amavisd.sock
You've answered yourself, it's a permission problem.
The easiest way out is to abandon Unix socket and use an inet socket
on a TCP port dedicated to releasing, e.g.:
$inet_socket_port = [10024,9998];
$unix_socketname = undef;
# used by amavisd-release utility of a new AM.PDP-based amavis-milter client
$interface_policy{'9998'} = 'AM.PDP-INET';
$policy_bank{'AM.PDP-INET'} = {
protocol = 'AM.PDP', # Amavis policy delegation protocol
inet_acl = [qw( 127.0.0.1 [::1])],
};
And in amavisd-release, change socket to:
$socketname = '127.0.0.1:9998';
Yes! :) Joy at last, thanks a million.
Michael
-
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100url=/
___
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] amavisd-release and apache suexec
Mark, Thank you for your patience and time with this. I still haven't got it working. Mark Martinec wrote: amavisd-release need not run as any specific user, all it needs is an access to an inet or unix socket offered by amavisd. If run as root, it works fine. Run from the web script mailaction.php it does not. I guess it is not a suexec issue as amavisd-release does start, but then fails and logs Can't connect to UNIX socket /var/spool/amavisd/amavisd.sock: Permission denied at /usr/bin/amavisd-release line 206. I finally tried from a shell, su webadmin and then run the release command, that also fails with the socket permission error. srwxr-x--- 1 amavis amavis 0 Sep 17 17:19 /var/spool/amavisd/amavisd.sock -rwxr-xr-x 1 root root 9194 Sep 29 14:08 /usr/bin/amavisd-release (sorry if the above gets posted twice, I sent it ten hours ago and don't see it coming through.) I've now created another subdomain in order to run mailaction.php using suexec amavis and still get the same Permission denied error from amavisd-release. Michael -- Michael Slavin /o\~/o\~/o\ 226 Santa Fe Dr. Baldwin City, KS 66006 theWebster *** electronic internet publishing and graphic services (everywhere) tel 785 594-6621 verizon cell 785 766-8756 Get Thunderbird http://www.mozilla.com/thunderbird/, Firefox http://www.mozilla.com/firefox/, and MailDad http://maildad.com/, and you're in good hands - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] amavisd-release and apache suexec
Mark Martinec wrote: Try changing $log_level = 1; to $log_level = 2; within amavisd-release. Perhaps also redirect its stderr to some file, then see what is reported. Thanks Mark, I changed the log level OK but am at a loss regarding the error messages. amavisd logs fine to my maillog but amavisd-release doesn't appear to log anywhere at all. Please, what do I add (and where) to start logging to, say, /var/log/amavisd-release.log Thanks!! -- Michael Slavin /o\~/o\~/o\ 226 Santa Fe Dr. Baldwin City, KS 66006 theWebster *** electronic internet publishing and graphic services (everywhere) tel 785 594-6621 verizon cell 785 766-8756 Get Thunderbird http://www.mozilla.com/thunderbird/, Firefox http://www.mozilla.com/firefox/, and MailDad http://maildad.com/, and you're in good hands - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] amavisd-release and apache suexec
OK, I've made a little headway. I changed mailaction.php line 19 to: $ar_call = /usr/bin/amavisd-release .$qfile[0]. .$sid. /var/log/amavis-releaselog 21; I also found some error messages from apache. I have the default server name the same as the virtual host where these scripts live, and apache logs some errors to the virtual host logs and some to the mail web logs. I now see in my amavis-releaselog: Can't connect to UNIX socket /var/spool/amavisd/amavisd.sock: Permission denied at /usr/bin/amavisd-release line 206. line 206 is $sock-connect( pack_sockaddr_un($socketname) ) I have already verified that the string mailaction.php passes to amavisd-release is OK, and runs correctly in a shell, and also that when it is run from a shell it logs everything to the logfile. -m Michael Slavin wrote: My problem is that stderr messages just seem to vanish. Other errors in the web page that calls this script get logged to weblogs just fine. Perhaps there's a perl setting to run in stealth mode or something? I'm just not real big on sysadmin and this machine seems to have newer versions of just about everything. Perhaps defining a logfile and then changing the do_log sub to print $logfile sanitize_str($errmsg),\n if $level = $log_level; might work? Mark Martinec wrote: Michael, Try changing $log_level = 1; to $log_level = 2; within amavisd-release. Perhaps also redirect its stderr to some file, then see what is reported. Thanks Mark, I changed the log level OK but am at a loss regarding the error messages. amavisd logs fine to my maillog but amavisd-release doesn't appear to log anywhere at all. Please, what do I add (and where) to start logging to, say, /var/log/amavisd-release.log amavisd-release logs to stderr. Perhaps you changed $log_level in file amavisd.conf - which has no effect on amavisd-release. The setting must be changed directly in a program amavisd-release, somewhere near its beginning. Mark -- Michael Slavin /o\~/o\~/o\ 226 Santa Fe Dr. Baldwin City, KS 66006 theWebster *** electronic internet publishing and graphic services (everywhere) tel 785 594-6621 verizon cell 785 766-8756 Get Thunderbird http://www.mozilla.com/thunderbird/, Firefox http://www.mozilla.com/firefox/, and MailDad http://maildad.com/, and you're in good hands - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] amavisd-release and apache suexec
Michael, I'm having trouble with suexec, amavisd-release need not run as any specific user, all it needs is an access to an inet or unix socket offered by amavisd. I think, though I cannot get my server to log any reason the amavisd-release script fails to function on this particular machine. My mailaction.php file successfully extracts the necessary info from my mysql tables and updates them appropriately, and when I code in a stop-and-print clause it gives me a line like /usr/bin/amavisd-release A/spam-A+G9qRownvNQ.gz ulQHmofRDPr1 that I can paste into a shell and successfully release the message from quarantine. This has had me going for days now! Any examples/suggestions please Try changing $log_level = 1; to $log_level = 2; within amavisd-release. Perhaps also redirect its stderr to some file, then see what is reported. Mark - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
[AMaViS-user] amavisd-release and apache suexec
I'm having trouble with suexec, I think, though I cannot get my server to log any reason the amavisd-release script fails to function on this particular machine. My mailaction.php file successfully extracts the necessary info from my mysql tables and updates them appropriately, and when I code in a stop-and-print clause it gives me a line like /usr/bin/amavisd-release A/spam-A+G9qRownvNQ.gz ulQHmofRDPr1 that I can paste into a shell and successfully release the message from quarantine. This has had me going for days now! Any examples/suggestions please? -- Michael Slavin /o\~/o\~/o\ 226 Santa Fe Dr. Baldwin City, KS 66006 theWebster *** electronic internet publishing and graphic services (everywhere) tel 785 594-6621 verizon cell 785 766-8756 Get Thunderbird http://www.mozilla.com/thunderbird/, Firefox http://www.mozilla.com/firefox/, and MailDad http://maildad.com/, and you're in good hands - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
