[xmail] Re: Beginner's Guide

[Davide Libenzi]

On Wed, 3 Dec 2003, Jeffrey Laramie wrote:

> Hi Everyone,
> 
> There is an updated version of my "Beginner's Guide" now available here.
> 
> http://www.ubaight.com/xmail/BeginnersGuide.html
> 
> For those of you who haven't seen the draft, The Guide has been completely 
> re-written and has a number of new sections. If you read the draft then the 
> only substantial change is the addition of a section on installing the 
> Ecartis mailing list manager.

Big warning when using Ecartis, expecially coupled with XMail. Ecartis is 
not the more secure package on earth, this is a know thing. Also, its suid 
ecartis might let you think that you are safe, but you are indeed not. 
Since XMail runs it as root, a suid ecartis does not prevent a rootkit to 
do a setuid(0) and regain root privileges. I use this trivial wrapper 
called swrap.c:

------------------------------------------------------------------------------

#include <sys/types.h>
#include <unistd.h>
#include <stdio.h>
 
 
static void usage(char *prg) {
 
        fprintf(stderr, "%s uid gid cmd [param ...]\n", prg);
}
 
 
int main(int ac, char **av, char **env) {
 
        if (ac < 4) {
                usage(av[0]);
                return 1;
        }
        if (setgid(atoi(av[2])) || setuid(atoi(av[1]))) {
                perror("setgid/setuid");
                return 2;
        }
        execve(av[3], &av[3], env);
        perror(av[3]);
        return 3;
}

-------------------------------------------------------------------


and I use this as ecartis.sh script (the one run by XMail):

-------------------------------------------------------------------
#!/bin/sh
DIRNAME=`dirname $0`
FILENAME=$1
shift
$DIRNAME/econv --mbox --unix --input $FILENAME > $FILENAME.lst
$DIRNAME/swrap 503 503 $DIRNAME/ecartis -f $FILENAME.lst $*
rm -f $FILENAME*
-------------------------------------------------------------------

Replace 503 with the real uid/gid of the ecartis user/group. Also, a small 
change to the Ecartis src/core.c file:

+#define MAX_STK_SHIFT 1024
                                                                                       
                                                   
int main (int argc, char** argv)
{
    char *temp;
    int errors = 0;
    int exitearly = 0;
    int count = 0;
    char buf[BIG_BUF];
                                                                                       
                                                   
+   srand(time(NULL) * getpid() + XXXX);
+   alloca(rand() % MAX_STK_SHIFT);

where XXXX is your secret constant. Also, I run prelink (-R):

http://freshmeat.net/projects/prelink/?topic_id=253

on Ecartis, econv and (just to be sure) XMail binary.




- Davide


-
To unsubscribe from this list: send the line "unsubscribe xmail" in
the body of a message to [EMAIL PROTECTED]
For general help: send the line "help" in the body of a message to
[EMAIL PROTECTED]