Date: Sat, 06 Mar 2004 15:31:38 +0100 From: "Martin P. Hellwig" <mhellwig@xs4all.nl> To: Marius Strobl <marius@alchemy.franken.de> Cc: freebsd-ports@freebsd.org Subject: Re: security/antivir-milter won't start correctly Message-ID: <4049E0CA.20402@xs4all.nl> In-Reply-To: <20040305192121.A88687@newtrinity.zeist.de> References: <403A7649.20306@xs4all.nl> <20040223234640.A48708@newtrinity.zeist.de> <403F660C.7040304@xs4all.nl> <20040228001928.GB47810@nagual.pp.ru> <4040B04B.8010503@xs4all.nl> <20040305192121.A88687@newtrinity.zeist.de>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format. --------------090802000502030204060609 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Marius Strobl wrote: >Actually I had to do both here on 5.2-current to always get a working >state after reboot/restart. On 4.8-stable I only managed to hit the >"local socket unsafe" problem once and the socket never disappeared. >Both problems are strange, as Sendmail really expects the socket to >be owned by smmsp:smmsp according to the source so it never should >have worked and I'm not sure why the socket gets removed when not >launching the milter in the background. >Anyway, the port finally is changed accordingly, please follow the >update instructions given in ports/UPDATING. > > Thanks Marius for updating. These is really strange behaviour by sendmail (is it indeed in sendmail or is it in 5?) but I'm glade there is a solution. I have tested the port on 5.2.1 (after removing everything except the license) and found it working all right. I'm still confused why it works at the other testbed without changing the usergroup to smmsp, but if the masters say it must be smmsp so I will follow :-) To Andrey: I'm sorry if I sounded like a non-believer but to my defence, I saw it with my own eyes :-) I added the test results for the new port with 5.2.1 to this message. Thanks, Martin P. Hellwig --------------090802000502030204060609 Content-Type: text/plain; name="AntiVir-milter_test_results.txt" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="AntiVir-milter_test_results.txt" >>>ssh'ing to testlaptop and su<<< # cat /etc/rc.conf usbd_enable="YES" sshd_enable="YES" hostname="lifebook" sendmail_enable="YES" pccard_enable="YES" pccardd_flags="-z" # uname -a FreeBSD lifebook 5.2.1-RELEASE FreeBSD 5.2.1-RELEASE #0: Sat Feb 28 14:05:43 GMT 2004 root@:/usr/obj/usr/src/sys/LIFEBOOK i386 # cd /usr/ports/security/antivir-milter/ # make ===> Vulnerability check disabled >> avfbmlt_beta.tgz doesn't seem to exist in /usr/ports/distfiles/. >> Attempting to fetch from http://www.antivir.de/dateien/antivir/beta/freebsd/. Receiving avfbmlt_beta.tgz (2530356 bytes): 100% 2530356 bytes transferred in 11.6 seconds (212.92 kBps) ===> Extracting for antivir-milter-1.1.b >> Checksum OK for avfbmlt_beta.tgz. ===> Patching for antivir-milter-1.1.b ===> Applying FreeBSD patches for antivir-milter-1.1.b ===> antivir-milter-1.1.b depends on shared library: c.4 - found ===> Configuring for antivir-milter-1.1.b su-2.05b# make install ===> Installing for antivir-milter-1.1.b ===> antivir-milter-1.1.b depends on shared library: c.4 - found ===> Generating temporary packing list ===> Checking if security/antivir-milter already installed =========================================================================== In order to configure Sendmail for this port add the following lines to your SENDMAIL_MC: INPUT_MAIL_FILTER( `antivir-milter', `S=unix:/var/spool/avmilter/avmilter.sock, F=T, T=S:10m;R:10m;E:10m' )dnl Don't forget to rebuild sendmail.cf and to restart Sendmail afterwards. For automated updates of the anti-virus engine and the virus definition file add the following line to your /etc/crontab: 25 0 * * * root /usr/local/sbin/antivirupdater -q For full functionality of AntiVir Milter you need to obtain a license key from H+BEDV Datentechnik GmbH. To install it, execute the following commands: cp hbedv.key /usr/local/AntiVir/ chown root:smmsp /usr/local/AntiVir/hbedv.key chmod 440 /usr/local/AntiVir/hbedv.key A license key for private (individual, non-commercial) use can be applied for free of charge at: http://www.antivir.de/order/privreg/linux.htm (German) http://www.hbedv.com/private/ (English) =========================================================================== ===> Registering installation for antivir-milter-1.1.b ===> SECURITY REPORT: This port has installed the following files which may act as network servers and may therefore pose a remote security risk to the system. /usr/local/sbin/avmilter /usr/local/AntiVir/antivir-dist_avfbmlt (USES POSSIBLY INSECURE FUNCTIONS: tempnam) This port has installed the following startup scripts which may cause these network services to be started at boot time. /usr/local/etc/rc.d/antivir-milter.sh If there are vulnerabilities in these programs there may be a security risk to the system. FreeBSD makes no guarantee about the security of ports included in the Ports Collection. Please type 'make deinstall' to deinstall the port if this is a concern. For more information, and contact details about the security status of this software, see the following webpage: http://www.hbedv.com/ # cd /etc/mail # vi lifebook.mc added: INPUT_MAIL_FILTER( `antivir-milter', `S=unix:/var/spool/avmilter/avmilter.sock, F=T, T=S:10m;R:10m;E:10m' )dnl :wq! lifebook.mc: 96 lines, 4266 characters. # make cf /usr/bin/m4 -D_CF_DIR_=/usr/share/sendmail/cf/ /usr/share/sendmail/cf/m4/cf.m4 lifebook.mc > lifebook.cf # cp lifebook.cf sendmail.cf # cd /usr/local/ # ls AntiVir bin include lib libexec sbin AntiVir_old etc info libdata man share # cp AntiVir_old/hbedv.key AntiVir/ # chown root:smmsp AntiVir/hbedv.key # chmod 440 /usr/local/AntiVir/hbedv.key # /usr/local/sbin/antivirupdater Warning: the file "antivir.vdf" is more than 14 days old AntiVir / FreeBSD Version 2.0.9-15 Copyright (c) 1994-2004 by H+BEDV Datentechnik GmbH. All rights reserved. checking for updates 06.23.00.49 <=> 06.24.00.41 [vdf database, loaded] 06.23.00.49 <=> 06.24.00.41 [vdf database, on-disk] 06.23.00.03 <=> 06.24.00.06 [scan engine, running] 06.23.00.03 <=> 06.24.00.06 [scan engine, on-disk] antivir.vdf 100% |****************************************************************| 1632 KB 204.10 KB/s 0:00 ETA antivir 100% |********************************************************************| 317 KB 158.57 KB/s 0:00 ETA 06.24.00.41 <=> 06.24.00.41 [vdf database, on-disk] 06.24.00.06 <=> 06.24.00.06 [scan engine, on-disk] reloading AntiVir mail scanner ... OK scan engine 06.23.00.03 --> 06.24.00.06 (/usr/local/AntiVir/antivir) vdf database 06.23.00.49 --> 06.24.00.41 (/usr/local/AntiVir/antivir.vdf) AntiVir updated successfully # ls /var/spool/avmilter/ incoming outgoing rejected # /usr/local/etc/rc.d/antivir-milter.sh start antivir-milter# # ls /var/spool/avmilter/ avmilter.sock incoming outgoing rejected # /etc/rc.d/sendmail restart Stopping sendmail. Stopping sendmail_clientmqueue. ps: kvm_getprocs: No such process Starting sendmail. ps: kvm_getprocs: No such process ps: kvm_getprocs: No such process # telnet localhost smtp Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 lifebook ESMTP Sendmail 8.12.10/8.12.10; Sat, 6 Mar 2004 16:00:06 GMT helo localhost 250 lifebook Hello localhost [127.0.0.1], pleased to meet you mail from: martin@localhost 250 2.1.0 martin@localhost... Sender ok rcpt to: root@localhost 250 2.1.5 root@localhost... Recipient ok data 354 Enter mail, end with "." on a line by itself test . 250 2.0.0 i26G06hk001409 Message accepted for delivery quit 221 2.0.0 lifebook closing connection Connection closed by foreign host #shutdown -r now Shutdown NOW! shutdown: [pid 1421] # *** FINAL System shutdown message from martin@lifebook *** System going down IMMEDIATELY System shutdown time has arrived Connection to 10.0.0.156 closed by remote host. Connection to 10.0.0.156 closed. >>>ssh'ing to testlaptop and su<<< # ls /var/spool/avmilter/ avmilter.sock incoming outgoing rejected # telnet localhost smtp Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 lifebook ESMTP Sendmail 8.12.10/8.12.10; Sat, 6 Mar 2004 16:06:43 GMT helo localhost 250 lifebook Hello localhost [127.0.0.1], pleased to meet you mail from: martin@localhost 250 2.1.0 martin@localhost... Sender ok rcpt to: root@localhost 250 2.1.5 root@localhost... Recipient ok data 354 Enter mail, end with "." on a line by itself test 2 . 250 2.0.0 i26G6hKW000530 Message accepted for delivery quit 221 2.0.0 lifebook closing connection Connection closed by foreign host. b# whoami root -su-2.05b# mail Mail version 8.1 6/6/93. Type ? for help. "/var/mail/root": 2 messages 2 new >N 1 martin@lifebook Sat Mar 6 16:00 15/534 N 2 martin@lifebook Sat Mar 6 16:07 15/534 & Message 1: >From martin@lifebook Sat Mar 6 16:00:39 2004 Date: Sat, 6 Mar 2004 16:00:06 GMT From: "Martin P. Hellwig" <martin@lifebook> To: undisclosed-recipients:; X-AntiVirus: checked by AntiVir Milter 1.1-beta; AVE 6.24.0.6; VDF 6.24.0.41 (host: lifebook) test & Message 2: >From martin@lifebook Sat Mar 6 16:07:10 2004 Date: Sat, 6 Mar 2004 16:06:43 GMT From: "Martin P. Hellwig" <martin@lifebook> To: undisclosed-recipients:; X-AntiVirus: checked by AntiVir Milter 1.1-beta; AVE 6.24.0.6; VDF 6.24.0.41 (host: lifebook) test 2 & q # --------------090802000502030204060609--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4049E0CA.20402>