subject:"spamd \& spamlogd open sync port 8025 as root"

Re: spamd & spamlogd open sync port 8025 as root

2016-03-18 Thread Craig Skinner

Hi Ricardo/All,

On 2015-12-18 Fri 20:20 PM |, Craig Skinner wrote:
> Hi!
> 
> FYI;- I've noticed spamd & spamlogd open their high ports as root.
> 
> These pf rules work, changing to 'user _spamd' doesn't:
> 
> pass in on $ext_if inet proto udp \
>   from $ext_if:network port > 1023 \
>   to $ext_if:0 port spamd-sync \
>   user root
> 
> pass out on $ext_if inet proto udp \
>   from $ext_if:0 port > 1023 \
>   to $ext_if:network port spamd-sync \
>   user root
> 
> 
> $ fstat -u _spamd | fgrep internet
> _spamd   spamlogd28614* internet dgram udp *:12412
> _spamd   spamd   14083* internet stream tcp 0x0 *:8025
> _spamd   spamd   14084* internet stream tcp 0x0 127.0.0.1:8026
> _spamd   spamd   14085* internet dgram udp 203.0.113.21:8025
> _spamd   spamd  111543* internet stream tcp 0x0 *:8025
> _spamd   spamd  111544* internet stream tcp 0x0 127.0.0.1:8026
> _spamd   spamd  111545* internet dgram udp 203.0.113.21:8025
> _spamd   spamd  114523* internet stream tcp 0x0 *:8025
> _spamd   spamd  114524* internet stream tcp 0x0 127.0.0.1:8026
> _spamd   spamd  114525* internet dgram udp 203.0.113.21:8025
> 
> 
> This box syslogs:
> Dec 18 15:13:25 palm spamd[1408]: new WHITE from 203.0.113.20 for 
> 208.70.245.125, expires 1453562006
> 
> The WHITE would be from spamlogd sending to UDP 8025 as root
> due to the pf rules above for that port require root to function.
> 
> 
> The source files show all the sockets are opened before priv drop.
> 
> As the ports are above 1023, is this necessary? - I'm not a C coder...
> 

Thanks Ricardo for your patch moving spamd.c's port binding
to the unpriv code block for this bug I found.

With spamd rebuilt & restarted, I'm trying to inject some test data
from another box which spamd syncs in both directions (as root).

This claims to connect & hangs:
(Nothing in the updated box's syslogs from spamd.)

$ KEY_SHA1=$(sha1 -q /etc/mail/spamd.key)
$ print "2 3 145880 145890 1.23.456.789 $KEY_SHA1 0" |
nc -4uv mx.example.net 8025
Connection to mx.example.net 8025 port [udp/spamd-sync] succeeded!

^C


tcpdump on the spamd modified sync receive mx.example.net box shows:

Mar 18 18:35:28.334256 r2:d2:23:48:92:0e c3:p0:3a:c5:a5:2c 0800 60: 
203.0.113.21.33635 > 203.0.113.20.8025: udp 1
Mar 18 18:35:28.334309 r2:d2:23:48:92:0e c3:p0:3a:c5:a5:2c 0800 60: 
203.0.113.21.33635 > 203.0.113.20.8025: udp 1
Mar 18 18:35:28.334360 r2:d2:23:48:92:0e c3:p0:3a:c5:a5:2c 0800 60: 
203.0.113.21.33635 > 203.0.113.20.8025: udp 1
Mar 18 18:35:28.334442 r2:d2:23:48:92:0e c3:p0:3a:c5:a5:2c 0800 60: 
203.0.113.21.33635 > 203.0.113.20.8025: udp 1
Mar 18 18:35:28.339011 r2:d2:23:48:92:0e c3:p0:3a:c5:a5:2c 0800 124: 
203.0.113.21.33635 > 203.0.113.20.8025: udp 82

How can test data be sent to spamd?

Thanks.
-- 
Some people claim that the UNIX learning curve is steep,
but at least you only have to climb it once.

spamd & spamlogd open sync port 8025 as root

2015-12-18 Thread Craig Skinner

Hi!

FYI;- I've noticed spamd & spamlogd open their high ports as root.

These pf rules work, changing to 'user _spamd' doesn't:

pass in on $ext_if inet proto udp \
from $ext_if:network port > 1023 \
to $ext_if:0 port spamd-sync \
user root

pass out on $ext_if inet proto udp \
from $ext_if:0 port > 1023 \
to $ext_if:network port spamd-sync \
user root


$ fstat -u _spamd | fgrep internet
_spamd   spamlogd28614* internet dgram udp *:12412
_spamd   spamd   14083* internet stream tcp 0x0 *:8025
_spamd   spamd   14084* internet stream tcp 0x0 127.0.0.1:8026
_spamd   spamd   14085* internet dgram udp 78.33.153.147:8025
_spamd   spamd  111543* internet stream tcp 0x0 *:8025
_spamd   spamd  111544* internet stream tcp 0x0 127.0.0.1:8026
_spamd   spamd  111545* internet dgram udp 78.33.153.147:8025
_spamd   spamd  114523* internet stream tcp 0x0 *:8025
_spamd   spamd  114524* internet stream tcp 0x0 127.0.0.1:8026
_spamd   spamd  114525* internet dgram udp 78.33.153.147:8025


This box syslogs:
Dec 18 15:13:25 palm spamd[1408]: new WHITE from 78.33.153.148 for 
208.70.245.125, expires 1453562006

The WHITE would be from spamlogd sending to UDP 8025 as root
due to the pf rules above for that port require root to function.


The source files show all the sockets are opened before priv drop.

As the ports are above 1023, is this necessary? - I'm not a C coder...

The more recent commit logs & source don't seem to have changed in this
regard from:

$ head -n 5 /var/run/dmesg.boot
OpenBSD 5.7 (GENERIC) #738: Sun Mar  8 10:59:31 MDT 2015
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel Pentium II ("GenuineIntel" 686-class, 512KB L2 cache) 349 MHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PSE36,MMX,FXSR,PERF
real mem  = 267849728 (255MB)

Re: spamd & spamlogd open sync port 8025 as root

spamd & spamlogd open sync port 8025 as root

2 matches

Site Navigation

Mail list logo

Footer information