Bug 28193
Summary: | exim now run as root | ||
---|---|---|---|
Product: | [Retired] Red Hat Powertools | Reporter: | Need Real Name <mal> |
Component: | exim | Assignee: | Tim Waugh <twaugh> |
Status: | CLOSED RAWHIDE | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 7.0 | ||
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2001-02-18 16:41:21 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Need Real Name
2001-02-17 22:31:21 UTC
Another problem when riunning as mail.mail is with permissions when using TLS, exim_user = mail exim_group = mail The exim is not being able to read the SSL certificate because it has root.root rw------- permissions to protect the private key. Would it be better to read the config, read certificates to memory first and than change uid/gid to specified in config. An option to set a different group and give g+r to the certificate is not very secure bacause some programs can be trickied to read the private key. Extraction from exim documentation: ------------------------ exim_user: This option sets the uid under which Exim runs when it gives up root privilege. However, unless there is some compelling reason for not doing so, it is best to specify the uid by setting EXIM_UID in `Local/Makefile' rather than using this option, because ownership of the run time configuration file and the use of the -C and -D command line options is checked against the compile-time setting of this parameter, not what is set here. Unless it consists entirely of digits, the string is looked up using getpwnam(), and failure causes a configuration error. If exim_group is not also supplied, the gid is taken from the result of getpwnam() if it is used. If the resulting uid is the root uid, it has the effect of unsetting this option. See chapter 55 for a discussion of security issues. -------------- Current exim exim-3.22-5 does not have user and group set neither in /etc/exim.conf nor in Makefile EXIM_UID should probably be set, yes. Not sure about the SSL certificate thing though. >Not sure about the SSL certificate thing though
The TLS is a separate issue, let us leave it out of this bug for now.
Let us focus on plain authorization with PAM.
The problem discribed above also exists in the latesr exim-3.22-6
The plain auth with PAM works OK when
exim is running as root.root
and does not work when exim is running as mail.mail
It prints in LOG:
2001-02-17 18:12:34 Authentication failed for a.b.c.d.com (gromco.com)
[0.0.0.0]: 535 Incorrect authentication data
(I also use TLS, but the permissions to the keys were set such as exim
can read them when running as mail.mail
-rw-r----- 1 root mail 2254 Feb 12 15:49 certificate.pem
so the problem is somewhere else)
No such problem when exim is running as root.
Does the problem happen if you compile exim with 'EXIM_UID=8' and 'EXIM_GID=12' in Local/Makefile but exim_user=root and exim_group=root (to undo the effect)? [I can supply a binary if you like] I set set debug_level = 127 for rpm -q exim exim-3.22-8 [root@test_server /tmp]# ps axuww|grep exim mail 3169 0.0 1.7 4272 1420 ? S 20:30 0:00 /usr/sbin/exim -bd -q1h It asks login/password forever, a the messages from /var/log/exim/exim_mainlog are below. Feb 17 20:40:48 test_server exim: PAM error: Authentication failure Feb 17 20:40:48 test_server exim: fixed_plain authenticator: Feb 17 20:40:48 test_server exim: $1 = Feb 17 20:40:48 test_server exim: $2 = mal Feb 17 20:40:48 test_server exim: $3 = PasswordHere Feb 17 20:40:48 test_server exim: expanded string: no Feb 17 20:40:48 test_server exim: Feb 17 20:40:48 test_server exim: tls_do_write(8180fa8, 35) Feb 17 20:40:48 test_server exim: SSL_write(SSL, 8180fa8, 35) Feb 17 20:40:48 test_server exim: outbytes=35 error=0 Feb 17 20:40:48 test_server exim: LOG: 0 MAIN REJECT Feb 17 20:40:48 test_server exim: Authentication failed for host.domain.com (gromco.com) [1.2.3.4]: 535 Incorrect authentication data Feb 17 20:40:48 test_server exim: Calling SSL_read(8190460, 8191c98, 4096) Then I added exim_user = root exim_group = root ps axuww|grep exim root 3224 0.3 1.8 4276 1428 ? S 20:36 0:00 /usr/sbin/exim -bd -q1h Now it is running as root. The e-mail sent OK with no problem. Feb 17 20:43:00 test_server last message repeated 4 times Feb 17 20:43:00 test_server exim: Calling SSL_read(8190890, 81920c8, 4096) Feb 17 20:43:04 test_server exim: SMTP<< AUTH PLAIN AG1hbAB0dHk1MzU= Feb 17 20:43:04 test_server exim: Running PAM authentication for user "mal" Feb 17 20:43:04 test_server exim: PAM success Feb 17 20:43:04 test_server exim: fixed_plain authenticator: Feb 17 20:43:04 test_server exim: $1 = Feb 17 20:43:04 test_server exim: $2 = mal Feb 17 20:43:04 test_server exim: $3 = PasswordHere Feb 17 20:43:04 test_server exim: expanded string: yes Feb 17 20:43:04 test_server exim: Feb 17 20:43:04 test_server exim: tls_do_write(8180fa8, 30) Feb 17 20:43:04 test_server exim: SSL_write(SSL, 8180fa8, 30) Feb 17 20:43:04 test_server exim: outbytes=30 error=0 Feb 17 20:43:04 test_server exim: Calling SSL_read(8190890, 81920c8, 4096) -------- This is the right log (Some necessary information was missed below). From these logs you see that PAM mudule fails when running as non-root and works OK when running as root. 1. FAILURE Feb 17 20:40:38 test_server exim: SMTP<< AUTH PLAIN PASSWORD_HERE_ENCODED= Feb 17 20:40:38 test_server exim: Running PAM authentication for user "mal" Feb 17 20:40:38 test_server PAM_unix[3268]: authentication failure; root(uid=8) -> mal for exim service Feb 17 20:40:41 test_server exim: PAM error: Authentication failure Feb 17 20:40:41 test_server exim: fixed_plain authenticator: Feb 17 20:40:41 test_server exim: $1 = Feb 17 20:40:41 test_server exim: $2 = mal Feb 17 20:40:41 test_server exim: $3 = PasswordHere Feb 17 20:40:41 test_server exim: expanded string: no Feb 17 20:40:41 test_server exim: Feb 17 20:40:41 test_server exim: tls_do_write(8180fa8, 35) Feb 17 20:40:41 test_server exim: SSL_write(SSL, 8180fa8, 35) Feb 17 20:40:41 test_server exim: outbytes=35 error=0 Feb 17 20:40:41 test_server exim: LOG: 0 MAIN REJECT Feb 17 20:40:41 test_server exim: Authentication failed for host.domain.com (gromco.com) [1.2.3.4]: 535 Incorrect authentication data 2. SUCCESS Feb 17 20:43:04 test_server exim: SMTP<< AUTH PLAIN PASSWORD_HERE_ENCODED= Feb 17 20:43:04 test_server exim: Running PAM authentication for user "mal" Feb 17 20:43:04 test_server exim: PAM success Feb 17 20:43:04 test_server exim: fixed_plain authenticator: Feb 17 20:43:04 test_server exim: $1 = Feb 17 20:43:04 test_server exim: $2 = mal Feb 17 20:43:04 test_server exim: $3 = PasswordHere Feb 17 20:43:04 test_server exim: expanded string: yes Feb 17 20:43:04 test_server exim: Feb 17 20:43:04 test_server exim: tls_do_write(8180fa8, 30) Feb 17 20:43:04 test_server exim: SSL_write(SSL, 8180fa8, 30) Feb 17 20:43:04 test_server exim: outbytes=30 error=0 Feb 17 20:43:04 test_server exim: Calling SSL_read(8190890, 81920c8, 4096) Feb 17 20:43:04 test_server exim: SMTP<< MAIL FROM:<mal> The string Feb 17 20:40:38 test_server PAM_unix[3268]: authentication failure; root(uid=8) -> mal for exim service probably the most relevant. Why it prints root(uid=8) ? PAM 0.72 allows authorization as non-root. Ih has setuid helpers integrated: -r-sr-xr-x 1 root root 14784 Nov 30 13:16 /sbin/pwdb_chkpwd -r-sr-xr-x 1 root root 15360 Nov 30 13:16 /sbin/unix_chkpwd These helpers are used in standard pam modules specifically for this purpouse: checking password for non-root These programs are usually called by standard PAM modules egrep '/sbin/(unix_chkpwd|pwdb_chkpwd)' /lib/security/* egrep: /lib/security/pam_filter: Is a directory Binary file /lib/security/pam_pwdb.so matches Binary file /lib/security/pam_unix.so matches Binary file /lib/security/pam_unix_acct.so matches Binary file /lib/security/pam_unix_auth.so matches Binary file /lib/security/pam_unix_passwd.so matches Binary file /lib/security/pam_unix_session.so matches The setuid helpers are already integrated into pam_unix and etc, and checking password when running as non-root is possible. You can do even more, in /etc/pam.d/exim you can explicitelly check that the process doing authorization is root.root or exim_user.exim_group then do authorization through pam_unix which has setuid helper integrated. This way nobody else exept exim will be able to use these setuid helpers which will be called from pam_unix. exim-3.22-8 no longer runs as root while receiving SMTP. The PAM problems are a PAM restriction. |