Hi Ricardo/All, On 2015-12-18 Fri 20:20 PM |, Craig Skinner wrote: > Hi! > > FYI;- I've noticed spamd & spamlogd open their high ports as root. > > These pf rules work, changing to 'user _spamd' doesn't: > > pass in on $ext_if inet proto udp \ > from $ext_if:network port > 1023 \ > to $ext_if:0 port spamd-sync \ > user root > > pass out on $ext_if inet proto udp \ > from $ext_if:0 port > 1023 \ > to $ext_if:network port spamd-sync \ > user root > > > $ fstat -u _spamd | fgrep internet > _spamd spamlogd 2861 4* internet dgram udp *:12412 > _spamd spamd 1408 3* internet stream tcp 0x0 *:8025 > _spamd spamd 1408 4* internet stream tcp 0x0 127.0.0.1:8026 > _spamd spamd 1408 5* internet dgram udp 203.0.113.21:8025 > _spamd spamd 11154 3* internet stream tcp 0x0 *:8025 > _spamd spamd 11154 4* internet stream tcp 0x0 127.0.0.1:8026 > _spamd spamd 11154 5* internet dgram udp 203.0.113.21:8025 > _spamd spamd 11452 3* internet stream tcp 0x0 *:8025 > _spamd spamd 11452 4* internet stream tcp 0x0 127.0.0.1:8026 > _spamd spamd 11452 5* internet dgram udp 203.0.113.21:8025 > > > This box syslogs: > Dec 18 15:13:25 palm spamd[1408]: new WHITE from 203.0.113.20 for > 208.70.245.125, expires 1453562006 > > The WHITE would be from spamlogd sending to UDP 8025 as root > due to the pf rules above for that port require root to function. > > > The source files show all the sockets are opened before priv drop. > > As the ports are above 1023, is this necessary? - I'm not a C coder... >
Thanks Ricardo for your patch moving spamd.c's port binding to the unpriv code block for this bug I found. With spamd rebuilt & restarted, I'm trying to inject some test data from another box which spamd syncs in both directions (as root). This claims to connect & hangs: (Nothing in the updated box's syslogs from spamd.) $ KEY_SHA1=$(sha1 -q /etc/mail/spamd.key) $ print "2 3 1458800000 1458900000 1.23.456.789 $KEY_SHA1 0" | nc -4uv mx.example.net 8025 Connection to mx.example.net 8025 port [udp/spamd-sync] succeeded! ^C tcpdump on the spamd modified sync receive mx.example.net box shows: Mar 18 18:35:28.334256 r2:d2:23:48:92:0e c3:p0:3a:c5:a5:2c 0800 60: 203.0.113.21.33635 > 203.0.113.20.8025: udp 1 Mar 18 18:35:28.334309 r2:d2:23:48:92:0e c3:p0:3a:c5:a5:2c 0800 60: 203.0.113.21.33635 > 203.0.113.20.8025: udp 1 Mar 18 18:35:28.334360 r2:d2:23:48:92:0e c3:p0:3a:c5:a5:2c 0800 60: 203.0.113.21.33635 > 203.0.113.20.8025: udp 1 Mar 18 18:35:28.334442 r2:d2:23:48:92:0e c3:p0:3a:c5:a5:2c 0800 60: 203.0.113.21.33635 > 203.0.113.20.8025: udp 1 Mar 18 18:35:28.339011 r2:d2:23:48:92:0e c3:p0:3a:c5:a5:2c 0800 124: 203.0.113.21.33635 > 203.0.113.20.8025: udp 82 How can test data be sent to spamd? Thanks. -- Some people claim that the UNIX learning curve is steep, but at least you only have to climb it once.