Amavis Mailing List Archive

From: Gary Verchick (lists@johnmecham.com)
Date: Thu Dec 16 2004 - 21:56:50 EST

• Next message: Gary Verchick: "[AMaViS-user] 2.2.1-rc1 on Debian does not find pax"
• Previous message: Mark Martinec: "Re: [AMaViS-user] 2.2.1-rc1 trial SECURITY PROBLEM"
• Maybe in reply to: Gary Verchick: "[AMaViS-user] 2.2.1-rc1 trial SECURITY PROBLEM"
• Next in thread: Gary Verchick: "Re: [AMaViS-user] 2.2.1-rc1 trial SECURITY PROBLEM"

Mark wrote:

> Gary,

>> >> FATAL: Directory of a config file "/etc/amavis/amavisd.conf"
>> >> is writable by EUID 103, EGID 106 106 106

>> > So who is the owner of the directory /etc/amavis ?
>> > If it is not root but is vscan, the files within can be compromised.

>> Owned by root, always has been. I installed pax and binhex decoder,
>> replaced 2.2.0 with 2.2.1-rc1, fired it up and got the error.

> The test which produces the 'Directory of a config file... is writable'
> is a simple attempt to rename the config file to the same name,
> which should fail. It does work here as expected.

> Could you please try the following shell command as root:

> su vscan -c 'perl -e "warn
> rename(qw(/etc/amavis/amavisd.conf /etc/amavis/amavisd.conf))
> ? qq(renamed, nogood\n) : qq(can not,ok\n)"'

> What version of Perl, what OS?

> Mark

I have a system at home that I was going to install 2.2.1-rc1 on as a
test, but because of the outcome of the test you provided, it appears
it won't be necessary because the test fails on this one as well.

rc2:~# chmod 755 /etc/amavis
rc2:~# su amavis -c 'perl -e "warn rename(qw(/etc/amavis/amavisd.conf /etc/amavis/amavisd.conf)) ? qq(renamed, nogood\n) : qq(can not,ok\n)"'
renamed, nogood
rc2:~# chmod 644 /etc/amavis
rc2:~# su amavis -c 'perl -e "warn rename(qw(/etc/amavis/amavisd.conf /etc/amavis/amavisd.conf)) ? qq(renamed, nogood\n) : qq(can not,ok\n)"'
can not,ok
rc2:~#

Debian Sarge, 2.4.27-1-386, Perl 5.8.4

in /etc/passwd:
amavis:x:103:104:AMaViS system user,,,:/var/lib/amavis:/bin/sh

in /etc/group
amavis:x:104:clamav

I installed 20030616-p10 via apt-get to get the startup script and
other ancillary files and to add the amavis user, etc.,
then updated amavisd.conf and replaced /usr/sbin/amavisd-new with
version 2.2.0, ran on this for a couple months, then 2.2.1-rc1.

Thanks Mark

-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/
_______________________________________________
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

• Next message: Gary Verchick: "[AMaViS-user] 2.2.1-rc1 on Debian does not find pax"
• Previous message: Mark Martinec: "Re: [AMaViS-user] 2.2.1-rc1 trial SECURITY PROBLEM"
• Maybe in reply to: Gary Verchick: "[AMaViS-user] 2.2.1-rc1 trial SECURITY PROBLEM"
• Next in thread: Gary Verchick: "Re: [AMaViS-user] 2.2.1-rc1 trial SECURITY PROBLEM"