Your message dated Sun, 29 Nov 2020 10:08:52 +0100
with message-id <[email protected]>
and subject line Re: Bug#868313: sympa: incorrect permissions for helper
commands with opensmtpd
has caused the Debian Bug report #868313,
regarding sympa: incorrect permissions for helper commands with opensmtpd
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
868313: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=868313
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: sympa
Version: 6.2.16~dfsg-3
Severity: important
Hello,
When trying to run sympa with opensmtpd, I encountered some permission
issues.
When using aliases files to map for example
sympa "| /usr/lib/sympa/bin/queue [email protected]"
as opensmtpd runs these commands as its unpriviledged user
("opensmtpd"), these commands run with that UID, and therefore cannot
access various necessary files as the sympa.config file that is only
readable by the sympa user or root.
I have found that the best way to fix this issue would be to have all
the files deployed to /usr/lib/sympa/bin/* under sympa:root permissions,
but with SETUID set.
So I basically did:
chown sympa /var/lib/sympa/bin/*
chmod 4755 /var/lib/sympa/bin/*
There is one notable exception though, the binary
/var/lib/sympa/bin/sympa_newaliases-wrapper needs to run the newaliases
command, which needs root permissions.
So that particular file will also neet the Setuid set, but be owned by
root:root instead of sympa:root, for this very reason.
Opensmtpd does not actually need to run the newalias command, but other
MTAs will, and even if I didn't check for myself, I suspect other MTAs
will attempt to run the /var/lib/sympa/bin commands as unpriviledged
users and run into the same problems opensmtpd did, therefore needing
these setuid set.
The code and actions of sympa_newaliases-wrapper seem benine enough that
we could allow it to have the root setuid, but maybe a closer inspection
would be needed by someone more familiar than me with its mechanics.
https://github.com/sympa-community/sympa/blob/master/src/libexec/sympa_newaliases-wrapper.c
As is, this proposed solution is the best, simplest ans safest I could
come up with.
hope this helps :)
--- End Message ---
--- Begin Message ---
On 7/14/17 2:31 PM, Daniel ".koolfy" Faucon wrote:
> Package: sympa
> Version: 6.2.16~dfsg-3
> Severity: important
>
>
> Hello,
>
> When trying to run sympa with opensmtpd, I encountered some permission
> issues.
> When using aliases files to map for example
>
> sympa "| /usr/lib/sympa/bin/queue [email protected]"
> as opensmtpd runs these commands as its unpriviledged user
> ("opensmtpd"), these commands run with that UID, and therefore cannot
> access various necessary files as the sympa.config file that is only
> readable by the sympa user or root.
>
> I have found that the best way to fix this issue would be to have all
> the files deployed to /usr/lib/sympa/bin/* under sympa:root permissions,
> but with SETUID set.
>
> So I basically did:
>
> chown sympa /var/lib/sympa/bin/*
> chmod 4755 /var/lib/sympa/bin/*
>
>
> There is one notable exception though, the binary
> /var/lib/sympa/bin/sympa_newaliases-wrapper needs to run the newaliases
> command, which needs root permissions.
>
> So that particular file will also neet the Setuid set, but be owned by
> root:root instead of sympa:root, for this very reason.
>
> Opensmtpd does not actually need to run the newalias command, but other
> MTAs will, and even if I didn't check for myself, I suspect other MTAs
> will attempt to run the /var/lib/sympa/bin commands as unpriviledged
> users and run into the same problems opensmtpd did, therefore needing
> these setuid set.
>
>
> The code and actions of sympa_newaliases-wrapper seem benine enough that
> we could allow it to have the root setuid, but maybe a closer inspection
> would be needed by someone more familiar than me with its mechanics.
>
> https://github.com/sympa-community/sympa/blob/master/src/libexec/sympa_newaliases-wrapper.c
>
> As is, this proposed solution is the best, simplest ans safest I could
> come up with.
>
> hope this helps :)
>
>
Sorry for this very late reply. Integration with OpenSMTPd is documented at
https://sympa-community.github.io/manual/install/configure-mail-server-opensmtpd.html
with additional instructions on
https://github.com/sympa-community/sympa-community.github.io/issues/51.
Also you prevent to call the wrapper / the newaliases program with the
following setting in sympa.conf:
aliases_program none
Regards
Racke
--
Ecommerce and Linux consulting + Perl and web application programming.
Debian and Sympa administration. Provisioning with Ansible.
OpenPGP_signature
Description: OpenPGP digital signature
--- End Message ---
