The mailing list for listmasters using Sympa

[Redmond Militante <address@concealed>]

Hello-

I tried

# chmod -R root:root /etc/mail
# ls -la /etc/mail/
total 384
drwxr-xr-x   3 root root  4096 Jun  2 16:02 .
drwxr-xr-x  82 root root 12288 Jun  5 16:40 ..
-rw-r--r--   1 root root  9243 Jun  2 15:48 sympa_aliases
-rw-r--r--   1 root root 24576 Jun  5 16:40 sympa_aliases.db

It is still not automatically creating new aliases, but the sympa.log 
messages have changed
/var/log/sympa.log
Jun  5 17:10:45 announce wwsympa[3105]: [robot announce.uchicago.edu] [client 
128.135.0.88] Could not find CSS file /style.css, using default CSS
Jun  5 17:10:45 announce wwsympa[3105]: [robot announce.uchicago.edu] [client 
128.135.0.88] [user address@concealed] 
do_create_list(06053,adsfdf,discussion_list)
Jun  5 17:10:45 announce wwsympa[3105]: [robot announce.uchicago.edu] [client 
128.135.0.88] [user address@concealed] do_create_list, get action : do_it
Jun  5 17:10:45 announce wwsympa[3105]: 
admin::check_topics(computing,announce.uchicago.edu)
Jun  5 17:10:46 announce wwsympa[3105]: admin::install_aliases : Unable to 
append to alias file
Jun  5 17:10:48 announce wwsympa[3108]: WWSympa started

Here are the permissions of executables in /home/sympa/bin, in case that 
makes a difference
-rwxr-xr-x   1 sympa sympa   5971 Jun  2 14:12 alias_manager.pl
-rwsr-x---   1 root  sympa   6645 Jun  2 14:12 aliaswrapper
-rwsr-sr-x   1 sympa sympa 466887 Jun  2 14:12 wwsympa.fcgi
-rwxr-xr-x   1 sympa sympa     86 Jun  2 14:12 wwsympa_sudo_wrapper.pl

Is there anything else I should check?

Redmond



+++ Peter Farmer <address@concealed> [06/06/05 10:20]:
> Redmond,
> 
> This is a common sendmail security issue - I found out the hard way a long 
> time ago 8-).
> 
> The aliases file and its database files (generated by newaliases) must be 
> owned by root and writable only by root AND they must live in a directory, 
> every path component of which is owned by and writable only by root.
> 
> If database files are are not protected this way, attackers can create 
> private aliases files and then run 'sendmail -oA./aliases -bi' to create a 
> bogus database that can be copied over (or delete and replace) the 
> original.
>  
> Regards,
> 
> Peter Farmer
> 
> On Saturday 03 June 2006 5:02 am, Redmond Militante wrote:
> > Hello-
> >
> > I received this in regards to an installation of sympa I was configuring
> > to work with Postfix.  I'm now experiencing the same problem - namely,
> > that sympa auto creation of alias fails - on a machine on which I'd like
> > to use sendmail as my MTA.
> >
> > snippet of our sympa.logs
> > Jun  2 15:41:32 announce wwsympa[6204]: [robot announce.uchicago.edu]
> > [client 128.135.0.88] [user address@concealed] do_create_list, get action
> > : do_it Jun  2 15:41:32 announce wwsympa[6204]:
> > admin::check_topics(computing/apps,announce.uchicago.edu) Jun  2 15:41:32
> > announce wwsympa[6204]: admin::install_aliases : Unable to run newaliases
> >
> > snippet of /var/log/maillog
> > Jun  2 14:48:55 announce sendmail[2811]: NOQUEUE: SYSERR(root): hash map
> > "Alias1": unsafe map file /etc/mail/sympa_aliases.db: Permission denied
> > Jun  2 14:48:55 announce sendmail[2811]: NOQUEUE: SYSERR(root): Cannot
> > create database for alias file /etc/mail/sympa_aliases
> >
> > /etc/mail/sympa_aliases and /etc/mail/sympa_aliases.db were copied from
> > another machine.  I'd like to replicate these aliases onto the new
> > server.  I've modified sympa_aliases so that the hostname is the hostname
> > of the new machine.
> >
> > Permissions for /etc/mail are
> > drwxr-xr-x   3 sympa sympa   4096 Jun  2 15:49 mail
> >
> > Permissions for /etc/mail/sympa_aliases* are
> > -rw-r--r--   1 sympa sympa  9243 Jun  2 15:48 sympa_aliases
> > -rw-r--r--   1 sympa smmsp 24576 Jun  2 15:48 sympa_aliases.db
> >
> > -I have tried various permissions for /etc/mail/sympa_aliases and
> > /etc/mail/sympa_aliases.db.  I've tried making root:root, sympa:sympa,
> > sympa:smmsp, and smmsp:smmsp owner of the sympa_aliases.db file - nothing
> > has worked so far, I still receive the same error in maillog.
> >
> > This server is RHEL 4.  I've compiled sympa with
> > ./configure --with-bindir=/etc/smrsh
> >
> > +++ Redmond Militante <address@concealed> [06/04/20 09:15]:
> > > +++ Olivier Salaün - CRU <address@concealed> [06/04/20 08:38]:
> > > >    Sympa automatic aliases creation may fail for one of the following
> > > >    reason :
> > > >      * The /etc/mail/sympa_aliases file (defined by
> > > > 'sendmail_aliases' sympa.conf parameter) does not exist. Starting
> > > > with Sympa 5.2,
> >
> > the file exists
> >
> > > >        sympa.pl is able to create the aliases file if it is missing.
> > > >      * /etc/mail/sympa_aliases is not used by your MTA. If using
> > > >        sendmail, add it to sendmail.cf
> >
> > snippet of our sendmail.cf
> > # location of alias file
> > O AliasFile=/etc/aliases,/etc/mail/sympa_alias
> >
> > > >      * The newaliases command requires special arguments on your
> > > > system. You can define the newaliases command and arguments used
> > > > during the configure. See
> > > >       
> > > > [1]http://www.sympa.org/doc/html/node4.html#SECTION004300000000000
> > > > 00000
> >
> > not necessary on our system.
> >
> > > >      * The aliaswrapper program is missing the SetUID bit
> >
> > %ls -la /home/sympa/bin/aliaswrapper*
> > -rwsr-x---  1 root sympa 6645 Jun  2 14:12 /home/sympa/bin/aliaswrapper
> >
> > > >      * Your /etc/mail/sympa_aliases does not have the appropriate
> > > >        privileges. It should neither be group-writeable nor
> > > >        world-writeable
> >
> > % ls -la /etc/mail/sympa_aliases
> > -rw-r--r--  1 sympa sympa 9243 Jun  2 15:48 /etc/mail/sympa_aliases
> >
> > > >      * Your /etc/mail/sympa_aliases.db does not have the appropriate
> > > >        privileges. This file is created by running newaliase. User
> > > >        'smmsp' should be owner of this map file
> >
> > see above.  I've also tried making smmsp:smmsp owner of this file, same
> > error.  sympa:smmsp is currently owner of this file.
> >
> > Any advice appreciated.
> >
> > > >    Redmond Militante wrote:
> > > >
> > > > Isn't alias_manager.pl supposed to run 'newaliases' via aliaswrapper,
> > > > whenever it is run?
> > > >
> > > >
> > > > On our sympa installation, I can run alias_manager.pl from the
> > > > command line, an d when I create a new list via
> > > > wwsympa.fcgi, alias_manager.pl runs and appends new list aliases to
> > > > /etc/mail/s ympa.aliases - but it looks like it
> > > > is not running 'newaliases' after appending to sympa.aliases.  I have
> > > > to log in as root and run 'newaliases'
> > > > manually in order to successfully send mail to my new list, otherwise
> > > > I get a m ail delivery notification telling
> > > > me that the message can't be delivered because the recipient is
> > > > unknown - runni ng 'newaliases' fixes this.
> > > >
> > > >
> > > > Do I have to recompile in order to get alias_manager.pl to run
> > > > newaliases for m e?  Or do people usually just
> > > > newaliases as a cron job?
> > > >
> > > > References
> > > >
> > > >    1.
> > > > http://www.sympa.org/doc/html/node4.html#SECTION00430000000000000000
> > >
> > > --
> > > Redmond Militante / NSIT / The University of Chicago
> > > PGP Public Key: <http://home.uchicago.edu/~rjm/pubkey.asc>

-- 
Redmond Militante / NSIT / The University of Chicago
PGP Public Key: <http://home.uchicago.edu/~rjm/pubkey.asc>