Re: spamd & spamlogd open sync port 8025 as root
Hi Ricardo/All, On 2015-12-18 Fri 20:20 PM |, Craig Skinner wrote: > Hi! > > FYI;- I've noticed spamd & spamlogd open their high ports as root. > > These pf rules work, changing to 'user _spamd' doesn't: > > pass in on $ext_if inet proto udp \ > from $ext_if:network port > 1023 \ > to $ext_if:0 port spamd-sync \ > user root > > pass out on $ext_if inet proto udp \ > from $ext_if:0 port > 1023 \ > to $ext_if:network port spamd-sync \ > user root > > > $ fstat -u _spamd | fgrep internet > _spamd spamlogd28614* internet dgram udp *:12412 > _spamd spamd 14083* internet stream tcp 0x0 *:8025 > _spamd spamd 14084* internet stream tcp 0x0 127.0.0.1:8026 > _spamd spamd 14085* internet dgram udp 203.0.113.21:8025 > _spamd spamd 111543* internet stream tcp 0x0 *:8025 > _spamd spamd 111544* internet stream tcp 0x0 127.0.0.1:8026 > _spamd spamd 111545* internet dgram udp 203.0.113.21:8025 > _spamd spamd 114523* internet stream tcp 0x0 *:8025 > _spamd spamd 114524* internet stream tcp 0x0 127.0.0.1:8026 > _spamd spamd 114525* internet dgram udp 203.0.113.21:8025 > > > This box syslogs: > Dec 18 15:13:25 palm spamd[1408]: new WHITE from 203.0.113.20 for > 208.70.245.125, expires 1453562006 > > The WHITE would be from spamlogd sending to UDP 8025 as root > due to the pf rules above for that port require root to function. > > > The source files show all the sockets are opened before priv drop. > > As the ports are above 1023, is this necessary? - I'm not a C coder... > Thanks Ricardo for your patch moving spamd.c's port binding to the unpriv code block for this bug I found. With spamd rebuilt & restarted, I'm trying to inject some test data from another box which spamd syncs in both directions (as root). This claims to connect & hangs: (Nothing in the updated box's syslogs from spamd.) $ KEY_SHA1=$(sha1 -q /etc/mail/spamd.key) $ print "2 3 145880 145890 1.23.456.789 $KEY_SHA1 0" | nc -4uv mx.example.net 8025 Connection to mx.example.net 8025 port [udp/spamd-sync] succeeded! ^C tcpdump on the spamd modified sync receive mx.example.net box shows: Mar 18 18:35:28.334256 r2:d2:23:48:92:0e c3:p0:3a:c5:a5:2c 0800 60: 203.0.113.21.33635 > 203.0.113.20.8025: udp 1 Mar 18 18:35:28.334309 r2:d2:23:48:92:0e c3:p0:3a:c5:a5:2c 0800 60: 203.0.113.21.33635 > 203.0.113.20.8025: udp 1 Mar 18 18:35:28.334360 r2:d2:23:48:92:0e c3:p0:3a:c5:a5:2c 0800 60: 203.0.113.21.33635 > 203.0.113.20.8025: udp 1 Mar 18 18:35:28.334442 r2:d2:23:48:92:0e c3:p0:3a:c5:a5:2c 0800 60: 203.0.113.21.33635 > 203.0.113.20.8025: udp 1 Mar 18 18:35:28.339011 r2:d2:23:48:92:0e c3:p0:3a:c5:a5:2c 0800 124: 203.0.113.21.33635 > 203.0.113.20.8025: udp 82 How can test data be sent to spamd? Thanks. -- Some people claim that the UNIX learning curve is steep, but at least you only have to climb it once.
spamd & spamlogd open sync port 8025 as root
Hi! FYI;- I've noticed spamd & spamlogd open their high ports as root. These pf rules work, changing to 'user _spamd' doesn't: pass in on $ext_if inet proto udp \ from $ext_if:network port > 1023 \ to $ext_if:0 port spamd-sync \ user root pass out on $ext_if inet proto udp \ from $ext_if:0 port > 1023 \ to $ext_if:network port spamd-sync \ user root $ fstat -u _spamd | fgrep internet _spamd spamlogd28614* internet dgram udp *:12412 _spamd spamd 14083* internet stream tcp 0x0 *:8025 _spamd spamd 14084* internet stream tcp 0x0 127.0.0.1:8026 _spamd spamd 14085* internet dgram udp 78.33.153.147:8025 _spamd spamd 111543* internet stream tcp 0x0 *:8025 _spamd spamd 111544* internet stream tcp 0x0 127.0.0.1:8026 _spamd spamd 111545* internet dgram udp 78.33.153.147:8025 _spamd spamd 114523* internet stream tcp 0x0 *:8025 _spamd spamd 114524* internet stream tcp 0x0 127.0.0.1:8026 _spamd spamd 114525* internet dgram udp 78.33.153.147:8025 This box syslogs: Dec 18 15:13:25 palm spamd[1408]: new WHITE from 78.33.153.148 for 208.70.245.125, expires 1453562006 The WHITE would be from spamlogd sending to UDP 8025 as root due to the pf rules above for that port require root to function. The source files show all the sockets are opened before priv drop. As the ports are above 1023, is this necessary? - I'm not a C coder... The more recent commit logs & source don't seem to have changed in this regard from: $ head -n 5 /var/run/dmesg.boot OpenBSD 5.7 (GENERIC) #738: Sun Mar 8 10:59:31 MDT 2015 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel Pentium II ("GenuineIntel" 686-class, 512KB L2 cache) 349 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PSE36,MMX,FXSR,PERF real mem = 267849728 (255MB)