Re: spamd & spamlogd open sync port 8025 as root

[Craig Skinner]

Hi Ricardo/All,

On 2015-12-18 Fri 20:20 PM |, Craig Skinner wrote:
> Hi!
> 
> FYI;- I've noticed spamd & spamlogd open their high ports as root.
> 
> These pf rules work, changing to 'user _spamd' doesn't:
> 
> pass in on $ext_if inet proto udp \
>       from $ext_if:network port > 1023 \
>       to $ext_if:0 port spamd-sync \
>       user root
> 
> pass out on $ext_if inet proto udp \
>       from $ext_if:0 port > 1023 \
>       to $ext_if:network port spamd-sync \
>       user root
> 
> 
> $ fstat -u _spamd | fgrep internet
> _spamd   spamlogd    2861    4* internet dgram udp *:12412
> _spamd   spamd       1408    3* internet stream tcp 0x0 *:8025
> _spamd   spamd       1408    4* internet stream tcp 0x0 127.0.0.1:8026
> _spamd   spamd       1408    5* internet dgram udp 203.0.113.21:8025
> _spamd   spamd      11154    3* internet stream tcp 0x0 *:8025
> _spamd   spamd      11154    4* internet stream tcp 0x0 127.0.0.1:8026
> _spamd   spamd      11154    5* internet dgram udp 203.0.113.21:8025
> _spamd   spamd      11452    3* internet stream tcp 0x0 *:8025
> _spamd   spamd      11452    4* internet stream tcp 0x0 127.0.0.1:8026
> _spamd   spamd      11452    5* internet dgram udp 203.0.113.21:8025
> 
> 
> This box syslogs:
> Dec 18 15:13:25 palm spamd[1408]: new WHITE from 203.0.113.20 for 
> 208.70.245.125, expires 1453562006
> 
> The WHITE would be from spamlogd sending to UDP 8025 as root
> due to the pf rules above for that port require root to function.
> 
> 
> The source files show all the sockets are opened before priv drop.
> 
> As the ports are above 1023, is this necessary? - I'm not a C coder...
> 

Thanks Ricardo for your patch moving spamd.c's port binding
to the unpriv code block for this bug I found.

With spamd rebuilt & restarted, I'm trying to inject some test data
from another box which spamd syncs in both directions (as root).

This claims to connect & hangs:
(Nothing in the updated box's syslogs from spamd.)

$ KEY_SHA1=$(sha1 -q /etc/mail/spamd.key)
$ print "2 3 1458800000 1458900000 1.23.456.789 $KEY_SHA1 0" |
        nc -4uv mx.example.net 8025
Connection to mx.example.net 8025 port [udp/spamd-sync] succeeded!

^C


tcpdump on the spamd modified sync receive mx.example.net box shows:

Mar 18 18:35:28.334256 r2:d2:23:48:92:0e c3:p0:3a:c5:a5:2c 0800 60: 
203.0.113.21.33635 > 203.0.113.20.8025: udp 1
Mar 18 18:35:28.334309 r2:d2:23:48:92:0e c3:p0:3a:c5:a5:2c 0800 60: 
203.0.113.21.33635 > 203.0.113.20.8025: udp 1
Mar 18 18:35:28.334360 r2:d2:23:48:92:0e c3:p0:3a:c5:a5:2c 0800 60: 
203.0.113.21.33635 > 203.0.113.20.8025: udp 1
Mar 18 18:35:28.334442 r2:d2:23:48:92:0e c3:p0:3a:c5:a5:2c 0800 60: 
203.0.113.21.33635 > 203.0.113.20.8025: udp 1
Mar 18 18:35:28.339011 r2:d2:23:48:92:0e c3:p0:3a:c5:a5:2c 0800 124: 
203.0.113.21.33635 > 203.0.113.20.8025: udp 82

How can test data be sent to spamd?

Thanks.
-- 
Some people claim that the UNIX learning curve is steep,
but at least you only have to climb it once.