Bug 99034 - chrooted jailcell lacks /etc/passwd equivalent
chrooted jailcell lacks /etc/passwd equivalent
Status: CLOSED CURRENTRELEASE
Product: Red Hat Linux
Classification: Retired
Component: postfix (Show other bugs)
9
All Linux
medium Severity medium
: ---
: ---
Assigned To: John Dennis
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2003-07-12 01:12 EDT by Piet E Barber
Modified: 2007-04-18 12:55 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2003-07-14 11:53:58 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
patch to fix startup script; gets passwd file into jailcell. (444 bytes, patch)
2003-07-12 01:15 EDT, Piet E Barber
no flags Details | Diff

  None (edit)
Description Piet E Barber 2003-07-12 01:12:30 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030701

Description of problem:
When postfix starts, there is a chrooted jail cell set up by default. 
The /var/spool/postfix/etc/ directory is the equivalent of the /etc/ directory. 

When external sources attempt to deliver mail to a local recipient, all mail
will fail unless the user exists on the system. 

Postfix checks the user accounts through many methods, including and especially,
the /etc/passwd file, which is not present. 



Version-Release number of selected component (if applicable):
postfix-1.1.11-11

How reproducible:
Always

Steps to Reproduce:
1. Install postfix
2. Run redhat-switch-mail
3. Set main.cf to listen on all interfacecs
4. (keep chroot configuration as default specifies)
5. start postfix
6. Ensure user 'pbarber' (or other some such user id) is on system. 
7. attempt to deliver e-mail to the host through a manual telnet to port 25
session.  


Actual Results:   here's my illustration: 

[root@hoser postfix]# telnet 127.0.0.1 25
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
220 hoser.host ESMTP Postfix
HELO hoser.host
250 hoser.host
MAIL FROM: <pbarber@hoser.host>
250 Ok
RCPT TO: <pbarber@hoser.host>
  (LONG delay here) 
550 <pbarber@hoser.host>: User unknown
 
^]
telnet> close


Expected Results:  Well, postfix should have been able to figure out that
~pbarber exists on the system, and delivered the mail without all this heartbreak. 

Additional info:

If you plunk an /etc/passwd file into /var/spool/postfix/etc/passwd, and restart
postfix, the mail gets delivered. 
    
I believe that the /etc/passwd should be copied into that directory on startup.
 There are probably better solutions, though.  There may be valid reasons not to
do this; if so, I'm listening. 

I have a stupid 3 line patch that changes /etc/init.d/postfix to do this on
startup. 


Here's the results after copying /etc/passwd to /var/spool/postfix/etc/passwd:

[root@rf init.d]# telnet 127.0.0.1 25
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
220 hoser.host ESMTP Postfix
HELO hoser.host
250 hoser.host
MAIL FROM: <pbarber@hoser.host>
250 Ok
RCPT TO: <pbarber@hoser.host>
250 Ok
data
354 End data with <CR><LF>.<CR><LF>
Subject: Hallo!!!
 
this was successful.
.
.
250 Ok: queued as 07140480062
quit
221 Bye
Connection closed by foreign host.
Comment 1 Piet E Barber 2003-07-12 01:15:25 EDT
Created attachment 92893 [details]
patch to fix startup script; gets passwd file into jailcell.

This patch automatically puts the /etc/passwd file into the postfix jailcell. 
This way local users can actually get delivery on e-mail.
Comment 2 John Dennis 2003-07-14 11:53:58 EDT
Postfix as supplied by Red Hat no longer runs in a chroot jail. The additional
security provided by the chroot jail was not justified by the problems it
created,  as you have pointed out. Even the postfix author no longer recommends
a chroot jail. I suggest you upgrade to the current postfix package (2.0.11-4)
which you can find on ftp.redhat.com.

Note You need to log in before you can comment on or make changes to this bug.