Confused

Julian Field mailscanner at ecs.soton.ac.uk
Sat May 10 12:41:54 IST 2003


At 11:48 10/05/2003, you wrote:
>Hi
>
>I'm a bit confused by first time configuration of MailScanner on my
>own SuSE 8.2 workstation.  Thought I'd ask a couple of questions.
>Using Postfix and SpadderAssassin....
>
>
>http://www.sng.ecs.soton.ac.uk/mailscanner/install/postfix.shtml
>
> >Make sure you have the chroot jail set up in /var/spool/postfix. You
> >should be able to see "etc", "usr" and "lib" directories inside
> >/var/spool/postfix).
>
>No I can't.  I can see....
>
>active  bounce  corrupt  defer  deferred  flush  hold  incoming
>maildrop  pid  private  public
>
>Where are the  "etc" "usr" and "lib" directories that are referred to
>?

They are the directories required to set up a minimal chroot jail. If you
don't what know what a chroot jail is, then read on and I will try to
explain it:

When a process is run as root, or even as a non-root user, it will have
permission to write over some files on your system. To stop hackers
exploiting a vulnerability in the process, you can "chroot" the process.
This makes another directory appear to be "/" as far as the chroot-ed
process is concerned. In Postfix's case, lots of programs are run with a
chroot of "/var/spool/postfix". So the chroot-ed process can only ever
write to files under /var/spool/postfix (which it thinks is actually "/").
Even if it gets root, it can still only modify files under
/var/spool/postfix. There is no way for a process to reverse the chroot
call, so it's called a "jail" that it locks itself into. So the process
thinks, for example, that /var/spool/postfix/etc is actually /etc, and
similarly for the other directories (usr, lib, etc and the queues).

To make it all work, it needs copies of a few files from the real /etc to
operate, such as libraries, /etc/passwd and a few others. That is what
should be in /var/spool/postfix/etc and the other dirs there.

If you have a look in /etc/postfix/master.cf, there is a row for each of
the Postfix processes. One of the columns is ticked if the process should
be run chroot-ed.

It appears that maybe the chroot files are less than I first thought. Here
is what is on my system:

[sysjkf at tinker postfix]$ cd /var/spool/postfix
[sysjkf at tinker postfix]$ ls -lR etc
etc:
total 36
-rw-r-----    1 root     root        12288 Apr 25 12:29 aliases.db
drwxr-xr-x    2 root     root         4096 Apr 16 11:24 postfix
-rw-r--r--    1 root     root        19891 Apr 16 10:31 services

etc/postfix:
total 12
-rw-r-----    1 root     root        12288 Apr 16 11:24 aliases.db

> >If you haven't got the chroot jail setup already, then look in the
> >"examples" directory of the Postfix documentation and you will find
> >a script in there to set up it up for your operating system. If you
> >can't find that, then see the "Problems or Errors" section further
> >down this page.
>
>
>This is the script that I have found under
>/usr/share/doc/packages/postfix/examples/chroot-setup.  Originally
>for SuSE 5.3.  Presumably it will work with SuSE 8.2 ?

Should work okay. It's a fairly simple process. I haven't got a copy of
SuSE 8.2 yet, only 8.1. I am trying to get my hands on a boxed copy of 8.2...

The code below is probably good enough. Watch your maillog as you put the
first few messages through it and you will soon see if it likes it or not.
It will warn you if something is wrong.

># Revision 1.4  2001/01/15 09:36:35  emma
># add note it was successfully tested on Debian sid
>#
>
>CP="cp -p"
>
>cond_copy() {
>   # find files as per pattern in $1
>   # if any, copy to directory $2
>   dir=`dirname "$1"`
>   pat=`basename "$1"`
>   lr=`find "$dir" -maxdepth 1 -name "$pat"`
>   if test ! -d "$2" ; then exit 1 ; fi
>   if test "x$lr" != "x" ; then $CP $1 "$2" ; fi
>}
>
>set -e
>umask 022
>
>POSTFIX_DIR=${POSTFIX_DIR-/var/spool/postfix}
>cd ${POSTFIX_DIR}
>
>mkdir -p etc lib usr/lib/zoneinfo
>
># find localtime (SuSE 5.3 does not have /etc/localtime)
>lt=/etc/localtime
>if test ! -f $lt ; then lt=/usr/lib/zoneinfo/localtime ; fi
>if test ! -f $lt ; then lt=/usr/share/zoneinfo/localtime ; fi
>if test ! -f $lt ; then echo "cannot find localtime" ; exit 1 ; fi
>rm -f etc/localtime
>
># copy localtime and some other system files into the chroot's etc
>$CP -f $lt /etc/services /etc/resolv.conf /etc/nsswitch.conf etc
>$CP -f /etc/host.conf /etc/hosts /etc/passwd etc
>ln -s -f /etc/localtime usr/lib/zoneinfo
>
># copy required libraries into the chroot
>cond_copy '/lib/libnss_*.so*' lib
>cond_copy '/lib/libresolv.so*' lib
>cond_copy '/lib/libdb.so*' lib
>
>postfix reload
>
>
>
>
>--
>Richard
>www.sheflug.co.uk

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support



More information about the MailScanner mailing list