| 1 |
---------- Forwarded Message ---------- |
| 2 |
|
| 3 |
Subject:Re: [gentoo-hardened] Fwd: hardened gentoo mailman/postfix/apache |
| 4 |
notes? |
| 5 |
Date:2008年1月2日 星期三 |
| 6 |
From:"Wang, Baojun" <wangbj@×××××××××××××.cn> |
| 7 |
To:gentoo-hardened@l.g.o |
| 8 |
|
| 9 |
On Wednesday 02 January 2008 20:38:33, pageexec@××××××××.hu wrote: |
| 10 |
> On 2 Jan 2008 at 12:25, Wang, Baojun wrote: |
| 11 |
> > Now I think all the configuration is working but the permission have some |
| 12 |
> > problem, since I'm using gentoo hardened, I think the problems are |
| 13 |
> > because I'm using hardened gentoo, How can I solve this problem, and any |
| 14 |
> > hints? |
| 15 |
> |
| 16 |
> are there any grsec denial logs? are you using the RBAC system? |
| 17 |
> if so, what's the policy that applies to apache/mailman? are the |
| 18 |
> normal filesystem permissions fine (i.e., can you execute the |
| 19 |
> denied binaries by hand at least)? |
| 20 |
|
| 21 |
in /var/log/kern.log |
| 22 |
|
| 23 |
... |
| 24 |
Jan 2 12:20:07 mail [687055.942454] grsec: From 202.201.14.141: denied |
| 25 |
untrusted exec of /usr/local/mailman/mail/mailman by /usr/lib/postfix/ |
| 26 |
local[local:17733] uid/euid:280/280 gid/egid:280/280, |
| 27 |
parent /usr/lib/postfix/local[local:17732] uid/euid:0/207 gid/egid:0/207 |
| 28 |
... |
| 29 |
|
| 30 |
mail ~ # id postfix |
| 31 |
uid=207(postfix) gid=207(postfix) groups=207(postfix),12(mail) |
| 32 |
mail ~ # id mailman |
| 33 |
uid=280(mailman) gid=280(mailman) groups=280(mailman),16(cron) |
| 34 |
|
| 35 |
in /var/log/kern.log |
| 36 |
|
| 37 |
... |
| 38 |
Jan 2 22:01:18 mail [721866.753519] grsec: From 202.201.0.151: chdir |
| 39 |
to /usr/local/mailman/cgi-bin by /usr/sbin/apache2[apache2:26412] |
| 40 |
uid/euid:81/81 gid/egid:81/81, parent /usr/sbin/apache2[apache2:25004] |
| 41 |
uid/euid:81/81 gid/egid:81/81 |
| 42 |
Jan 2 22:01:18 mail [721866.753736] grsec: From 202.201.0.151: denied |
| 43 |
untrusted exec of /usr/local/mailman/cgi-bin/listinfo by /usr/sbin/apache2 |
| 44 |
[apache2:26412] uid/euid:81/81 gid/egid:81/81, parent /usr/sbin/apache2 |
| 45 |
[apache2:25004] uid/euid:81/81 gid/egid:81/81 |
| 46 |
... |
| 47 |
|
| 48 |
grsec/pax are used, but not RBAC, sounds like that the `mailman' script |
| 49 |
refused to run with different uid/gid of the executable, I've added postfix |
| 50 |
and apache to the mailman group, but doesn't solve the problem. or should I |
| 51 |
chown -R root:root /usr/local/mainman and chown a-S /usr/local/manman? |
| 52 |
|
| 53 |
-- |
| 54 |
Wang, Baojun Lanzhou University |
| 55 |
Distributed & Embedded System Lab http://dslab.lzu.edu.cn |
| 56 |
School of Information Science and Engeneering wangbj_AT_lzu.edu.cn |
| 57 |
Tianshui South Road 222. Lanzhou 730000 .P.R.China |
| 58 |
Tel:+86-931-8912025 Fax:+86-931-8912022 |
| 59 |
|
| 60 |
------------------------------------------------------- |
| 61 |
|
| 62 |
-- |
| 63 |
Wang, Baojun Lanzhou University |
| 64 |
Distributed & Embedded System Lab http://dslab.lzu.edu.cn |
| 65 |
School of Information Science and Engeneering wangbj_AT_lzu.edu.cn |
| 66 |
Tianshui South Road 222. Lanzhou 730000 .P.R.China |
| 67 |
Tel:+86-931-8912025 Fax:+86-931-8912022 |
| 68 |
-- |
| 69 |
gentoo-hardened@g.o mailing list |
Archives