1 |
---------- Forwarded Message ---------- |
2 |
|
3 |
Subject:Re: [gentoo-hardened] Fwd: hardened gentoo mailman/postfix/apache |
4 |
notes? |
5 |
Date:2008年1月2日 星期三 |
6 |
From:"Wang, Baojun" <wangbj@×××××××××××××.cn> |
7 |
To:gentoo-hardened@l.g.o |
8 |
|
9 |
On Wednesday 02 January 2008 20:38:33, pageexec@××××××××.hu wrote: |
10 |
> On 2 Jan 2008 at 12:25, Wang, Baojun wrote: |
11 |
> > Now I think all the configuration is working but the permission have some |
12 |
> > problem, since I'm using gentoo hardened, I think the problems are |
13 |
> > because I'm using hardened gentoo, How can I solve this problem, and any |
14 |
> > hints? |
15 |
> |
16 |
> are there any grsec denial logs? are you using the RBAC system? |
17 |
> if so, what's the policy that applies to apache/mailman? are the |
18 |
> normal filesystem permissions fine (i.e., can you execute the |
19 |
> denied binaries by hand at least)? |
20 |
|
21 |
in /var/log/kern.log |
22 |
|
23 |
... |
24 |
Jan 2 12:20:07 mail [687055.942454] grsec: From 202.201.14.141: denied |
25 |
untrusted exec of /usr/local/mailman/mail/mailman by /usr/lib/postfix/ |
26 |
local[local:17733] uid/euid:280/280 gid/egid:280/280, |
27 |
parent /usr/lib/postfix/local[local:17732] uid/euid:0/207 gid/egid:0/207 |
28 |
... |
29 |
|
30 |
mail ~ # id postfix |
31 |
uid=207(postfix) gid=207(postfix) groups=207(postfix),12(mail) |
32 |
mail ~ # id mailman |
33 |
uid=280(mailman) gid=280(mailman) groups=280(mailman),16(cron) |
34 |
|
35 |
in /var/log/kern.log |
36 |
|
37 |
... |
38 |
Jan 2 22:01:18 mail [721866.753519] grsec: From 202.201.0.151: chdir |
39 |
to /usr/local/mailman/cgi-bin by /usr/sbin/apache2[apache2:26412] |
40 |
uid/euid:81/81 gid/egid:81/81, parent /usr/sbin/apache2[apache2:25004] |
41 |
uid/euid:81/81 gid/egid:81/81 |
42 |
Jan 2 22:01:18 mail [721866.753736] grsec: From 202.201.0.151: denied |
43 |
untrusted exec of /usr/local/mailman/cgi-bin/listinfo by /usr/sbin/apache2 |
44 |
[apache2:26412] uid/euid:81/81 gid/egid:81/81, parent /usr/sbin/apache2 |
45 |
[apache2:25004] uid/euid:81/81 gid/egid:81/81 |
46 |
... |
47 |
|
48 |
grsec/pax are used, but not RBAC, sounds like that the `mailman' script |
49 |
refused to run with different uid/gid of the executable, I've added postfix |
50 |
and apache to the mailman group, but doesn't solve the problem. or should I |
51 |
chown -R root:root /usr/local/mainman and chown a-S /usr/local/manman? |
52 |
|
53 |
-- |
54 |
Wang, Baojun Lanzhou University |
55 |
Distributed & Embedded System Lab http://dslab.lzu.edu.cn |
56 |
School of Information Science and Engeneering wangbj_AT_lzu.edu.cn |
57 |
Tianshui South Road 222. Lanzhou 730000 .P.R.China |
58 |
Tel:+86-931-8912025 Fax:+86-931-8912022 |
59 |
|
60 |
------------------------------------------------------- |
61 |
|
62 |
-- |
63 |
Wang, Baojun Lanzhou University |
64 |
Distributed & Embedded System Lab http://dslab.lzu.edu.cn |
65 |
School of Information Science and Engeneering wangbj_AT_lzu.edu.cn |
66 |
Tianshui South Road 222. Lanzhou 730000 .P.R.China |
67 |
Tel:+86-931-8912025 Fax:+86-931-8912022 |
68 |
-- |
69 |
gentoo-hardened@g.o mailing list |