List Archive: gentoo-hardened
On Tue, 23 Oct 2007 01:15:05 -0600
"Matt Poletiek" <chill550@...> wrote:
> Hey guys, I was attempting to write a plugin for my qmail-spp enabled
> netqmail package when I ran into the following issue...
>
> hackdmz control # nc localhost 25
> 220 hackdmz.net ESMTP
> ehlo test
> 250-hackdmz.net
> 250-STARTTLS
> 250-PIPELINING
> 250-8BITMIME
> 250-SIZE 0
> 250 AUTH LOGIN PLAIN
> mail from test@...
> 250 ok
> rcpt to test@...
> 451 qmail-spp failure: plugins/validuser.pl: can't execute (#4.3.0)
>
> This shows up in dmesg
>
> grsec: From ***.***.***.***: denied untrusted exec of
> /var/qmail/plugins/validuser.pl by
> /var/qmail/bin/qmail-smtpd[qmail-smtpd:7451] uid/euid:201/201
> gid/egid:200/200, parent /var/qmail/bin/qmail-smtpd[qmail-smtpd:7438]
> uid/euid:201/201 gid/egid:200/200
> grsec: From ***.***.***.***: denied untrusted exec of
> /var/qmail/plugins/validuser.pl by
> /var/qmail/bin/qmail-smtpd[qmail-smtpd:7861] uid/euid:201/201
> gid/egid:200/200, parent /var/qmail/bin/qmail-smtpd[qmail-smtpd:7860]
> uid/euid:201/201 gid/egid:200/200
This is nothing to do with PaX, as you can see from the log messages.
Grsecurity is denying the execution attempt because you have
TPE enabled and the qmail user is not trusted.
See `Executable Protections' under Grsecurity in your kernel
configuration, or `sysctl -a |grep tpe` if you have Grsec sysctl
functionality enabled and unlocked.
--atj
--
gentoo-hardened@g.o mailing list
|
|
