Bug#636881: Milter socket permissions not set properly
Upstream has targeted this for 0.98.6, but did not comment on the patch. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#636881: Milter socket permissions not set properly
On 2011-10-27 07:16:54 [-0700], Dara Adib wrote: See my reply to #636877, but basically one either has to make clamav a member of group postfix or set SOCKET_RWGROUP in /etc/default/clamav-milter but not in clamav-milter.conf. root@domine:/var/spool/postfix/clamav# grep Milter /etc/clamav/clamav-milter.conf MilterSocket /var/spool/postfix/clamav/clamav-milter.ctl MilterSocketGroup postfix MilterSocketMode 660 clamav needs to be a member of group postfix so that it can set postfix group ownership for the milter socket. s- 1 clamav clamav 0 Aug 6 19:20 clamav-milter.ctl Reproducing this problem, it seems that this is the behavior when clamav-milter cannot change the socket group ownership. There should be an error message Failed to change socket ownership to group postfix in syslog. That error message appears in a recent version. And it does that as root. It seems the MilterSocket settings in clamav-milter.conf are applied by default after privileges are dropped, as clamav by default which can't change group ownership unless it is a member of the group. What works for me (besides adding clamav to group postfix, which might be an extra security risk?): $ grep Milter /etc/clamav/clamav-milter.conf MilterSocket /var/spool/postfix/clamav/clamav-milter.ctl #MilterSocketGroup postfix # handled by /etc/default/clamav-milter MilterSocketMode 660 $ ls -l total 0 srw-rw 1 clamav postfix 0 Oct 27 07:13 clamav-milter.ctl $ grep -v ^\# /etc/default/clamav-milter SOCKET_RWGROUP=postfix SOCKET_PATH=/var/spool/postfix/clamav/clamav-milter.ctl Since clamav-milter is started as root anyways and then drops privileges to user clamav in the default configuration, I would assume that the socket group ownership as specified in clamav-milter.conf could be changed earlier on as root, and that this would be the preferred fix (depending on upstream), obsoleting /etc/default/clamav-milter. I have the following patch to get this behaviour. From dca6bd7cd4544fb2d30cf79fb3b9c4117e6b52c4 Mon Sep 17 00:00:00 2001 From: Sebastian Andrzej Siewior sebast...@breakpoint.cc Date: Tue, 11 Mar 2014 21:09:32 +0100 Subject: [PATCH] clamav-milter: setup socket before dropping root permission If the milter socket should be setup as |User clamav |MilterSocket /var/run/clamav/clamav-milter.ctl |MilterSocketGroup postfix |MilterSocketMode 660 and the user clamav is not a member of the postfix then the start fails with | - ERROR: Failed to change socket ownership to group postfix This is not really required because the process is started as root. It can first setup the socket and then drop the root permission and change to the clamav user. This patch does so. BTS #636881 Signed-off-by: Sebastian Andrzej Siewior sebast...@breakpoint.cc --- clamav-milter/clamav-milter.c | 193 +- 1 file changed, 98 insertions(+), 95 deletions(-) diff --git a/clamav-milter/clamav-milter.c b/clamav-milter/clamav-milter.c index 95ff8a0..49cca71 100644 --- a/clamav-milter/clamav-milter.c +++ b/clamav-milter/clamav-milter.c @@ -114,6 +114,104 @@ int main(int argc, char **argv) { } } +if(!(my_socket = optget(opts, MilterSocket)-strarg)) { + logg(!Please configure the MilterSocket directive\n); + logg_close(); + optfree(opts); + return 1; +} + +if(smfi_setconn(my_socket) == MI_FAILURE) { + logg(!smfi_setconn failed\n); + logg_close(); + optfree(opts); + return 1; +} +if(smfi_register(descr) == MI_FAILURE) { + logg(!smfi_register failed\n); + logg_close(); + optfree(opts); + return 1; +} +opt = optget(opts, FixStaleSocket); +umsk = umask(0777); /* socket is created with 000 to avoid races */ +if(smfi_opensocket(opt-enabled) == MI_FAILURE) { + logg(!Failed to create socket %s\n, my_socket); + logg_close(); + optfree(opts); + return 1; +} +umask(umsk); /* restore umask */ +if(strncmp(my_socket, inet:, 5) strncmp(my_socket, inet6:, 6)) { + /* set group ownership and perms on the local socket */ + char *sock_name = my_socket; + mode_t sock_mode; + if(!strncmp(my_socket, unix:, 5)) + sock_name += 5; + if(!strncmp(my_socket, local:, 6)) + sock_name += 6; + if(*my_socket == ':') + sock_name ++; + + if(optget(opts, MilterSocketGroup)-enabled) { + char *gname = optget(opts, MilterSocketGroup)-strarg, *end; + gid_t sock_gid = strtol(gname, end, 10); + if(*end) { + struct group *pgrp = getgrnam(gname); + if(!pgrp) { + logg(!Unknown group %s\n, gname); + logg_close(); + optfree(opts); + return 1; + } + sock_gid = pgrp-gr_gid; + } + if(chown(sock_name, -1, sock_gid)) {
Bug#636881: Milter socket permissions not set properly
The bug is still here; wheezy/ 0.97.8+dfsg-1 In /usr/share/doc/clamav-base/README.Debian.gz I see As of 0.96, clamav-milter will take care of making the socket writable for a group. This is done by setting MilterSocketGroup and MilterSocketMode to useful values in your /etc/clamav/clamav-milter.conf (for instance, postfix and 0664, respectively). But that don't work with this in log: Thu Aug 15 15:32:03 2013 - ERROR: Failed to change socket ownership to group postfix Hand-made changes in default/clamav-milter (as stated here) helps. -- Лыков Михаил, системный администратор -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#636881: Milter socket permissions not set properly
See my reply to #636877, but basically one either has to make clamav a member of group postfix or set SOCKET_RWGROUP in /etc/default/clamav-milter but not in clamav-milter.conf. root@domine:/var/spool/postfix/clamav# grep Milter /etc/clamav/clamav-milter.conf MilterSocket /var/spool/postfix/clamav/clamav-milter.ctl MilterSocketGroup postfix MilterSocketMode 660 clamav needs to be a member of group postfix so that it can set postfix group ownership for the milter socket. s- 1 clamav clamav 0 Aug 6 19:20 clamav-milter.ctl Reproducing this problem, it seems that this is the behavior when clamav-milter cannot change the socket group ownership. There should be an error message Failed to change socket ownership to group postfix in syslog. This is because the init.d script now does chgrp and chmod g+w, but not more. And it does that as root. It seems the MilterSocket settings in clamav-milter.conf are applied by default after privileges are dropped, as clamav by default which can't change group ownership unless it is a member of the group. What works for me (besides adding clamav to group postfix, which might be an extra security risk?): $ grep Milter /etc/clamav/clamav-milter.conf MilterSocket /var/spool/postfix/clamav/clamav-milter.ctl #MilterSocketGroup postfix # handled by /etc/default/clamav-milter MilterSocketMode 660 $ ls -l total 0 srw-rw 1 clamav postfix 0 Oct 27 07:13 clamav-milter.ctl $ grep -v ^\# /etc/default/clamav-milter SOCKET_RWGROUP=postfix SOCKET_PATH=/var/spool/postfix/clamav/clamav-milter.ctl Since clamav-milter is started as root anyways and then drops privileges to user clamav in the default configuration, I would assume that the socket group ownership as specified in clamav-milter.conf could be changed earlier on as root, and that this would be the preferred fix (depending on upstream), obsoleting /etc/default/clamav-milter. Dara -- OCF: all-volunteer, student-run service group providing free printing, web hosting, disk space, email, and Unix shell accounts -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#636881: Milter socket permissions not set properly
Package: clamav-milter Version: 0.97.2+dfsg-1~squeeze1 Severity: important Tags: upstream It seems no longer possible to set permissions of the milter socket: root@domine:/var/spool/postfix/clamav# grep Milter /etc/clamav/clamav-milter.conf MilterSocket /var/spool/postfix/clamav/clamav-milter.ctl MilterSocketGroup postfix MilterSocketMode 660 root@domine:/var/spool/postfix/clamav# /etc/init.d/clamav-milter restart Stopping Sendmail milter plugin for ClamAV: clamav-milter. Starting Sendmail milter plugin for ClamAV: clamav-milter. root@domine:/var/spool/postfix/clamav# ls -l total 0 s- 1 clamav clamav 0 Aug 6 19:20 clamav-milter.ctl If I uncomment the RWGROUP in /etc/default/clamav-milter, then I get sw 1 clamav postfix 0 Aug 6 19:21 clamav-milter.ctl This is because the init.d script now does chgrp and chmod g+w, but not more. That this is configurable in both places is subject of #636877. I think the bug is in clamav-milter, hence tagging this upstream. -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.0.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_NZ, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- .''`. martin f. krafft madduck@d.o Related projects: : :' : proud Debian developer http://debiansystem.info `. `'` http://people.debian.org/~madduckhttp://vcs-pkg.org `- Debian - when you have better things to do than fixing systems digital_signature_gpg.asc Description: Digital signature (see http://martin-krafft.net/gpg/sig-policy/999bbcc4/current)