Sophie

Sophie

distrib > Mandriva > 9.2 > i586 > by-pkgid > 960682759d6b16198e74613b5f73b4e2 > files > 14

amavisd-new-0.20030616-9mdk.noarch.rpm

Setting up amavisd-new to run in a chroot jail
==============================================
2003-03, Mark Martinec
Last updated: 2003-08-06

This is not for inexperienced Unix administrators!

This is not an automated script, but rather a checklist, guidelines
and ideas to help you set up the environment in which amavisd-new
and its external services can run in a Unix chroot jail to reduce
the possible security threats and protect the rest of your system.

Details vary greatly from one Unix system to another. The following
examples are based on FreeBSD and Linux, but should be useful for
other Unix systems. Some of your paths are likely to be different.

The following is based on setting a SMTP-based amavisd-new (e.g. to be
use with Postfix or dual-MTA setup), and tried out with all external
decoding programs, with SpamAssassin and with the following virus scanners:
Clam Antivirus clamscan and clamd, Sophos sweep, SAVI-Perl and Sophie



exit   # This is NOT an automatic script!!!
       # Don't execute commands without knowing what they will do!!!

# ESSENTIAL, DO NOT FORGET to cd to your new chroot home directory
# before running further commands:
#
mkdir /var/amavis
cd /var/amavis
umask 022

# make directory structure within the current directory (/var/amavis)
mkdir -p etc dev bin lib tmp var/tmp var/run var/virusmails
mkdir -p usr/bin usr/lib usr/libexec usr/share usr/lib/zoneinfo
mkdir -p usr/share/misc usr/share/spamassassin etc/mail/spamassassin

# make dev/null - adjust MAJOR/MINOR as appropriate (see ls -l /dev/null)
mknod dev/null    c  2 2   # FreeBSD?
mknod dev/null    c  1 3   # Linux?

mknod dev/random  c  1 8   # Linux?
mknod dev/urandom c  1 9   # Linux?
mknod dev/urandom c 45 2   # OpenBSD ?
mknod dev/random  c  2 3   # FreeBSD ?
ln -s dev/random dev/urandom  # FreeBSD
#
# NOTE: the file system where dev/null and other device files will reside
#       must not be mounted with "nodev" option (/etc/fstab) !


# make a symbolic link so that chrooted processes can refer to the
# home directory as /var/amavis (same as not-chrooted), and do not have
# to handle it differently (i.e. referring to it as  / )
ln -s / var/amavis

# copy required binaries to /var/amavis/usr/bin
for j in \
  /usr/bin/false \
  /usr/bin/file /usr/bin/gzip /usr/bin/bzip2 \
  /usr/local/bin/nomarch /usr/local/bin/arc \
  /usr/local/bin/unrar \
  /usr/local/bin/arj /usr/local/bin/unarj \
  /usr/local/bin/zoo /usr/local/bin/lha \
  /usr/local/bin/lzop /usr/local/bin/freeze /bin/cpio \
  /usr/local/bin/sweep /usr/local/bin/clamscan /usr/local/sbin/sophie
do cp -p $j usr/bin/; done

# copy needed /etc files to /var/amavis/etc
for j in \
  /etc/amavisd.conf \
  /etc/protocols /etc/services /etc/hosts \
  /etc/resolv.conf /etc/nsswitch.conf /etc/host.conf /etc/localtime \
  /etc/group /etc/passwd
do cp -p $j etc/; done

# copy shared libraries to /var/amavis/lib
#   (check:  ldd /var/amavis/usr/bin/*  to see which ones are needed)
#
#FreeBSD: 
for j in \
  /usr/lib/libc.so.5 /usr/lib/libm.so.2 /usr/lib/libstdc++.so.4 \
  /usr/lib/libz.so.2 \
  /usr/local/lib/libsavi.so.3 /usr/local/lib/libclamav.so*
do cp -p $j usr/lib/; done
cp -p /usr/libexec/ld-elf.so.1 usr/libexec/

#Linux:
for j in \
  /lib/libc.so.6 /lib/libm.so.6 /lib/ld-linux.so.2 \
  /lib/libpthread.so.0 /lib/libresolv-2.3.2.so /lib/libnss_*.so* \
  /lib/libgcc_s.so.1 /usr/lib/libstdc++.so.5 \
  /usr/lib/libz.so.1 /usr/lib/libbz2.so.1 /lib/libdb*.so* \
  /usr/local/lib/libsavi.so.3 /usr/local/lib/libclamav.so*
do cp -p $j lib/; done


# needed by SpamAssassin:
cp -p /etc/mail/spamassassin/local.cf etc/mail/spamassassin/
cp -pR /usr/local/share/spamassassin usr/share/  # FreeBSD
cp -pR /usr/share/spamassassin       usr/share/  # Linux

# needed by file(1):
cp -p /usr/share/misc/magic*  usr/share/misc/ # FreeBSD
cp -p /usr/share/magic        usr/share/      # Linux

# needed by AV scanners (Sophos)
mkdir -p usr/local/sav
cp -pR /usr/local/sav usr/local/

# needed by AV scanners (ClamAV)
mkdir -p usr/local/share/clam  # is the directory clam or clamav ?
cp -pR /usr/local/share/clam usr/local/share/
cp /usr/local/bin/freshclam /usr/local/sbin/clamd usr/bin/
cp /root/clamav.conf etc/
# Start clamd and freshclam:
#   chroot -u vscan /var/amavis /usr/sbin/clamd
#   chroot -u vscan /var/amavis /usr/bin/freshclam -d \
#     -c 4 --log-verbose --datadir=/usr/local/share/clam \
#     -l /var/log/clam-update.log

# needed by AV scanners (H+BEDV AntiVir)
mkdir -p usr/lib/AntiVir
cp -pR /usr/lib/AntiVir usr/lib/



# what about /usr/lib/zoneinfo ?
# If you have Postfix, check its chroot setup script for further ideas:
# postfix-xxx/examples/chroot-setup/YOUR-OS

# set protections
chmod 1770 tmp
chmod 1770 var/tmp
chmod 666 dev/null
chmod 644 dev/*random

# FreeBSD:
chown -R root:wheel /var/amavis
chown vscan:vscan /var/amavis
chown -R vscan:vscan var/virusmails
chown -R vscan:vscan amavis.* amavisd.* tmp
chown -R vscan:vscan *.log razor* .razor* .spamassassin

# Linux
chown -R root:root /var/amavis
chown amavis:amavis /var/amavis
chown -R amavis:amavis var/virusmails
chown -R amavis:amavis amavis.* amavisd.* tmp
chown -R amavis:amavis *.log razor* .razor* .spamassassin

# Daemonized virus scanners (e.g. Sophie, ClamD) may be
# started in the same chroot jail, or not.  E.g.
#   chroot /var/amavis /usr/bin/sophie -D
#
# If you want, you may now remove /usr/local/sav and make a link instead,
# to avoid having two copies of Sophos database:
#   ln -s /var/amavis/usr/local/sav /usr/local/sav 
# consider:
#   ln -s /var/amavis/var/run/sophie      /var/run/     # Sophie socket
#   ln -s /var/amavis/var/run/sophie.pid  /var/run/


# Programs may be tested individually whether they are happy
# in the chroot jail:
#
perl -e '$uid=getpwnam("vscan")   or die "E1:$!";
         chroot "/var/amavis"     or die "E2:$!";
         $> = $< = $uid;
         open(STDIN,"</dev/null") or die "E3:$!";
         exec qw(file /etc/amavisd.conf)'; echo $?
# or...
#    ... exec qw(file /usr/bin/gzip)'; echo $?
#    ... exec qw(gzip -d 0.lis)'; echo $?
#    ...


Edit /var/amavis/etc/amavisd.conf, setting:
  $MYHOME = '/var/amavis';
  $TEMPBASE = $ENV{TMPDIR} = "$MYHOME/tmp";
  $daemon_chroot_dir = $MYHOME;

Logging should preferably be directed to syslog.

Because the program starts outside the chroot jail and brings-in all Perl
modules first, there is fortunately no need to make a copy of Perl modules
inside the jail. As a consequence, the 'reload' (HUP) can not work
and you need to kill and restart the daemon from outside the chroot jail.

If Perl complains about missing modules, add them to the list
in file amavisd:

    fetch_modules('REQUIRED BASIC MODULES', qw(
	Exporter POSIX Fcntl Socket Errno Time::HiRes
	IO::File IO::Socket IO::Wrap IO::Stringy
    ...

With earlier version of Perl you might need to add autoloaded modules
to the list, such as:
        auto::POSIX::setgid auto::POSIX::setuid


If quarantine files are to be gzipped, shell is needed in
chroot jail as well - or else replace the line (in file 'amavisd'):
  'spam-quarantine'  => sub { ($QUARANTINEDIR, "$VIRUSFILE.gz") },
with:
  'spam-quarantine'  => sub { ($QUARANTINEDIR, $VIRUSFILE) },
to disable compressing quarantined spam.


NOTE:
  OpenBSD chroot specifics are described in the document
  http://lawmonkey.org/anti-spam.html, by Scott Vintinner.

NOTE:
  With Net::Server 0.85 you may see a message:

    Net::Server: Couldn't POSIX::setuid to ... []

  If the process UID remained 0 (root), the program will terminate,
  otherwise consider the message just as informative.

  This is because POSIX::setuid() returns a string "0 but true",
  which is not a UID, as expected bu Net::Server.


NOTE:
  On FreeBSD (and possibly on other systems) you may need to apply
  the following patch to Net::Server (based on version 0.85),
  located in the directory /usr/local/lib/perl5/site_perl/5.8.0/Net
  or thereabout.

--- Server.pm~	2003-03-07 15:51:35.000000000 +0100
+++ Server.pm	2003-04-25 13:59:12.000000000 +0200
@@ -475,8 +475,10 @@
     }
   };
   if( $@ ){
-    if( $< == 0 || $> == 0 ){
+    if( $> == 0 ){
       $self->fatal( $@ );
+    } elsif( $< == 0){
+      $self->log(2,"NOTICE: Effective UID changed, but Real UID is 0: $@");
     }else{
       $self->log(2,$@);
     }
--- Server/Daemonize.pm~	2002-09-24 20:55:15.000000000 +0200
+++ Server/Daemonize.pm	2003-04-25 13:58:16.000000000 +0200
@@ -204,8 +204,7 @@
     die "Couldn't become uid \"$uid\"\n";
   }
   my $result = POSIX::setuid( $uid );
-  if( ! defined($result)
-      || $result != $uid ){ # assuming this is true for all systems
+  if( ! defined($result) ){
     die "Couldn't POSIX::setuid to \"$uid\" [$!]\n";
   }
   return 1;

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional