Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 22 May 2008 09:05:22 GMT
From:      Helmut Schneider <jumper99@gmx.de>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   ports/123888: security/amavisd-new broken when running chroot'ed
Message-ID:  <200805220905.m4M95M2p080620@www.freebsd.org>
Resent-Message-ID: <200805220910.m4M9A75t066272@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         123888
>Category:       ports
>Synopsis:       security/amavisd-new broken when running chroot'ed
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu May 22 09:10:06 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     Helmut Schneider
>Release:        7.0-RELEASE
>Organization:
>Environment:
>Description:
[root@FBSD70VM ~]# amavisd debug
May 22 10:47:51.064 FBSD70VM.v-pe.de /usr/local/sbin/amavisd[81036]: starting.  /usr/local/sbin/amavisd at FBSD70VM.v-pe.de amavisd-new-2.6.0 (20080423), Unicode aware
May 22 10:47:51.065 FBSD70VM.v-pe.de /usr/local/sbin/amavisd[81036]: user=, EUID: 110 (110);  group=, EGID: 110 110 (110 110)
May 22 10:47:51.065 FBSD70VM.v-pe.de /usr/local/sbin/amavisd[81036]: Perl version               5.008008
May 22 10:47:51.853 FBSD70VM.v-pe.de /usr/local/sbin/amavisd[81036]: INFO: SA version: 3.2.4, 3.002004, no optional modules: Mail::SpamAssassin::SQLBasedAddrList Net::CIDR::Lite Sys::Hostname::Long DBD::mysql Mail::SpamAssassin::BayesStore::PgSQL IP::Country::Fast Image::Info Image::Info::GIF Image::Info::JPEG Image::Info::PNG Image::Info::TIFF Mail::SPF::Query
May 22 10:47:51.853 FBSD70VM.v-pe.de /usr/local/sbin/amavisd[81036]: SpamControl: init_pre_chroot on SpamAssassin done
May 22 10:47:51.854 FBSD70VM.v-pe.de /usr/local/sbin/amavisd[81036]: Net::Server: 2008/05/22-10:47:51 Amavis (type Net::Server::PreForkSimple) starting! pid(81036)
May 22 10:47:51.862 FBSD70VM.v-pe.de /usr/local/sbin/amavisd[81036]: Net::Server: Binding to UNIX socket file /var/amavis/amavisd.sock using SOCK_STREAM
May 22 10:47:51.863 FBSD70VM.v-pe.de /usr/local/sbin/amavisd[81036]: Net::Server: Binding to TCP port 10024 on host 127.0.0.1
May 22 10:47:51.864 FBSD70VM.v-pe.de /usr/local/sbin/amavisd[81036]: Net::Server: Group Not Defined.  Defaulting to EGID '110 110'
May 22 10:47:51.865 FBSD70VM.v-pe.de /usr/local/sbin/amavisd[81036]: Net::Server: User Not Defined.  Defaulting to EUID '110'
May 22 10:47:51.865 FBSD70VM.v-pe.de /usr/local/sbin/amavisd[81036]: Net::Server: Chrooting to /var/amavis
May 22 10:47:51.865 FBSD70VM.v-pe.de /usr/local/sbin/amavisd[81036]: (!)Net::Server: 2008/05/22-10:47:51 Couldn't chroot to "/var/amavis": Operation not permitted\n  at line 523 in file /usr/local/lib/perl5/site_perl/5.8.8/Net/Server.pm
May 22 10:47:51.865 FBSD70VM.v-pe.de /usr/local/sbin/amavisd[81036]: Net::Server: 2008/05/22-10:47:51 Server closing!
[root@FBSD70VM ~]#

I guess Net::Server tries to chroot as non-root (GID/UID vscan) which according to "man 2 chroot" is not allowed.
>How-To-Repeat:
Install amavisd-new 2.6 and set

$daemon_chroot_dir = $MYHOME;
>Fix:


>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200805220905.m4M95M2p080620>