From majordomo-workers-owner Thu Aug 3 17:18:52 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id RAA06518; Thu, 3 Aug 2000 17:04:16 -0700 (PDT) Received: from ntcserver4.dscr.dla.mil (ntcserver4.dscr.dla.mil [206.38.37.95]) by honor.greatcircle.com (Postfix) with SMTP id 6386617E8B for ; Thu, 3 Aug 2000 17:04:09 -0700 (PDT) Received: (qmail 8503 invoked from network); 4 Aug 2000 00:15:12 -0000 Received: from localhost (127.0.0.1) by localhost with SMTP; 4 Aug 2000 00:15:12 -0000 Date: Thu, 3 Aug 2000 18:33:46 -0500 (CDT) From: Chuck Milam X-Sender: cmilam@ntcserver4 To: mj2-dev@csf.colorado.edu Subject: Insecure $ENV{ENV} while running with -T switch Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: majordomo-workers-owner@GreatCircle.COM Precedence: bulk This is probably a FAQ, but a quick fix is needed: When trying to use MJ2 via the E-mail interface, messages are being deferred. In the mj_email.debug log: Insecure $ENV{ENV} while running with -T switch at /usr/local/lib/perl5/site_perl/5.6.0/Net/Domain.pm line 167. I'm sure this is a quick fix (untainting the path? but how?) -- Chuck Milam chuck@milams.net From majordomo-workers-owner Thu Aug 3 17:33:41 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id RAA06554; Thu, 3 Aug 2000 17:09:59 -0700 (PDT) Received: from ntcserver4.dscr.dla.mil (ntcserver4.dscr.dla.mil [206.38.37.95]) by honor.greatcircle.com (Postfix) with SMTP id 7614C17E8B for ; Thu, 3 Aug 2000 17:09:54 -0700 (PDT) Received: (qmail 8673 invoked from network); 4 Aug 2000 00:20:58 -0000 Received: from localhost (127.0.0.1) by localhost with SMTP; 4 Aug 2000 00:20:58 -0000 Date: Thu, 3 Aug 2000 19:20:58 -0500 (CDT) From: Chuck Milam X-Sender: cmilam@ntcserver4.dscr.dla.mil To: mj2-dev@csf.colorado.edu Cc: majordomo-workers@greatcircle.com Subject: Re: Insecure $ENV{ENV} while running with -T switch In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: majordomo-workers-owner@GreatCircle.COM Precedence: bulk On Thu, 3 Aug 2000, Chuck Milam wrote: > This is probably a FAQ, but a quick fix is needed: > > When trying to use MJ2 via the E-mail interface, messages are being > deferred. In the mj_email.debug log: > > Insecure $ENV{ENV} while running with -T switch at > /usr/local/lib/perl5/site_perl/5.6.0/Net/Domain.pm line 167. > > I'm sure this is a quick fix (untainting the path? but how?) More info: Linux Red Hat 6.2 (Intel) Perl 5.6.0 qmail -- Chuck Milam chuck@milams.net From majordomo-workers-owner Tue Aug 15 06:33:50 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id GAA28589; Tue, 15 Aug 2000 06:23:18 -0700 (PDT) Received: from thelab.hub.org (nat204.85.mpoweredpc.net [142.177.204.85]) by honor.greatcircle.com (Postfix) with ESMTP id 85C3317E8B for ; Tue, 15 Aug 2000 06:23:13 -0700 (PDT) Received: from localhost (scrappy@localhost) by thelab.hub.org (8.9.3/8.9.3) with ESMTP id KAA80126; Tue, 15 Aug 2000 10:34:13 -0300 (ADT) (envelope-from scrappy@hub.org) X-Authentication-Warning: thelab.hub.org: scrappy owned process doing -bs Date: Tue, 15 Aug 2000 10:34:12 -0300 (ADT) From: The Hermit Hacker To: majordomo-workers@GreatCircle.COM, mj2-dev@csf.colorado.edu Subject: make test fails on recent CVS ... ? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: majordomo-workers-owner@GreatCircle.COM Precedence: bulk does it matter? t/addr..............ok t/db-dbmbtree.......ok t/db-dbmhash........ok t/db-text...........ok t/shell.............--== Use of uninitialized value at /usr/local/majordomo/lib/Mj/Inform.pm line 76. --== Use of uninitialized value at /usr/local/majordomo/lib/Mj/Inform.pm line 76. --== Use of uninitialized value at blib/lib/Majordomo.pm (autosplit into blib/lib/auto/Majordomo/_createlist.al) line 3202. --== Use of uninitialized value at /usr/local/majordomo/lib/Mj/Inform.pm line 76. --== Use of uninitialized value at /usr/local/majordomo/lib/Mj/Inform.pm line 76. --== Use of uninitialized value at /usr/local/majordomo/lib/Mj/Inform.pm line 76, chunk 2. --== Use of uninitialized value at /usr/local/majordomo/lib/Mj/Inform.pm line 76. --== Use of uninitialized value at /usr/local/majordomo/lib/Mj/Inform.pm line 76. --== Use of uninitialized value at /usr/local/majordomo/lib/Mj/Inform.pm line 76. --== Use of uninitialized value at /usr/local/majordomo/lib/Mj/Inform.pm line 76. --== Use of uninitialized value at /usr/local/majordomo/lib/Mj/Inform.pm line 76. --== Use of uninitialized value at /usr/local/majordomo/lib/Mj/Inform.pm line 76. --== Use of uninitialized value at /usr/local/majordomo/lib/Mj/Inform.pm line 76. --== Use of uninitialized value at /usr/local/majordomo/lib/Mj/Inform.pm line 76. FAILED test 10 Failed 1/14 tests, 92.86% okay Failed Test Status Wstat Total Fail Failed List of failed ------------------------------------------------------------------------------- t/shell.t 14 1 7.14% 10 Failed 1/5 test scripts, 80.00% okay. 1/136 subtests failed, 99.26% okay. *** Error code 2 Stop in /usr/local/src/majordomo. Marc G. Fournier ICQ#7615664 IRC Nick: Scrappy Systems Administrator @ hub.org primary: scrappy@hub.org secondary: scrappy@{freebsd|postgresql}.org From majordomo-workers-owner Tue Aug 15 07:18:48 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id HAA28994; Tue, 15 Aug 2000 07:11:28 -0700 (PDT) Received: from thelab.hub.org (nat204.85.mpoweredpc.net [142.177.204.85]) by honor.greatcircle.com (Postfix) with ESMTP id 7CAD817E8B for ; Tue, 15 Aug 2000 07:11:23 -0700 (PDT) Received: from localhost (scrappy@localhost) by thelab.hub.org (8.9.3/8.9.3) with ESMTP id LAA59102; Tue, 15 Aug 2000 11:22:27 -0300 (ADT) (envelope-from scrappy@hub.org) X-Authentication-Warning: thelab.hub.org: scrappy owned process doing -bs Date: Tue, 15 Aug 2000 11:22:27 -0300 (ADT) From: The Hermit Hacker To: majordomo-workers@GreatCircle.COM, mj2-dev@csf.colorado.edu Subject: mj_wwwadm ... where is everything defined? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: majordomo-workers-owner@GreatCircle.COM Precedence: bulk I'm looking at doing some work in mj_wwwadm ... things like 'save' the func in the SELECT list based on the previous value and what not, but can't find where that SELECT list is even built/defined: %grep -i "select name" bin/mj_wwwadm % I've checked through the lib/Mj stuff and nadda in there either ... what I'd *like* to do is have it so that when you do a tokeninfo-full, it provides a link to the appropriate lists//GLOBAL/spool/ file that can be called up to see what it is you are accepting/rejecting ... Marc G. Fournier ICQ#7615664 IRC Nick: Scrappy Systems Administrator @ hub.org primary: scrappy@hub.org secondary: scrappy@{freebsd|postgresql}.org From majordomo-workers-owner Sun Aug 20 11:21:22 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id LAA16805; Sun, 20 Aug 2000 11:03:28 -0700 (PDT) Received: by honor.greatcircle.com (Postfix, from userid 1013) id 41D5F17E8B; Sun, 20 Aug 2000 11:03:26 -0700 (PDT) Received: from thelab.hub.org (nat204.85.mpoweredpc.net [142.177.204.85]) by honor.greatcircle.com (Postfix) with ESMTP id A21FC17E8B for ; Tue, 15 Aug 2000 06:28:02 -0700 (PDT) Received: from localhost (scrappy@localhost) by thelab.hub.org (8.9.3/8.9.3) with ESMTP id KAA99031; Tue, 15 Aug 2000 10:39:06 -0300 (ADT) (envelope-from scrappy@hub.org) X-Authentication-Warning: thelab.hub.org: scrappy owned process doing -bs Date: Tue, 15 Aug 2000 10:39:06 -0300 (ADT) From: The Hermit Hacker To: majordomo-workers@GreatCircle.COM, mj2-dev@csf.colorado.edu Subject: approving token's through mj_wwwadm ... Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: majordomo-workers-owner@GreatCircle.COM Precedence: bulk I'm starting to try and use mj_wwwadm a bit more for bounces and whatnot, but have a slight problem ... how do I know why something needs to be accepted/rejected in token if there is no way of seeing what the message is/was? subscribe/unsubscribe, sure ... but other then recognizing some names, I don't want to accept spam to go to the list? this is with the newest majordomo from CVS as of today ... Marc G. Fournier ICQ#7615664 IRC Nick: Scrappy Systems Administrator @ hub.org primary: scrappy@hub.org secondary: scrappy@{freebsd|postgresql}.org From majordomo-workers-owner Mon Aug 21 11:51:27 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id LAA02546; Mon, 21 Aug 2000 11:38:42 -0700 (PDT) Received: from thelab.hub.org (nat194.159.mpoweredpc.net [142.177.194.159]) by honor.greatcircle.com (Postfix) with ESMTP id 6F16717E8B for ; Mon, 21 Aug 2000 11:38:37 -0700 (PDT) Received: from localhost (scrappy@localhost) by thelab.hub.org (8.9.3/8.9.3) with ESMTP id PAA33807; Mon, 21 Aug 2000 15:52:57 -0300 (ADT) (envelope-from scrappy@hub.org) X-Authentication-Warning: thelab.hub.org: scrappy owned process doing -bs Date: Mon, 21 Aug 2000 15:52:57 -0300 (ADT) From: The Hermit Hacker To: majordomo-workers@GreatCircle.COM, mj2-dev@csf.colorado.edu Subject: (forw) Majordomo results: Re: B03B-5A09-D558 : CONFIRM from pgsql- (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: majordomo-workers-owner@GreatCircle.COM Precedence: bulk got this problem report from a subscriber ... majordomo2 has been recently upgraded from CVS ... Aug 15th, to be exact ... Marc G. Fournier ICQ#7615664 IRC Nick: Scrappy Systems Administrator @ hub.org primary: scrappy@hub.org secondary: scrappy@{freebsd|postgresql}.org ---------- Forwarded message ---------- Date: Mon, 21 Aug 2000 11:45:52 -0700 From: Alfred Perlstein To: scrappy@hub.org Cc: postmaster@hub.org Subject: (forw) Majordomo results: Re: B03B-5A09-D558 : CONFIRM from pgsql- I'm trying to subscribe alfred@freebsd.org to postgresql-committers, I'm not sure if I was successful, but the reply from majordomo got me a bit scared: ---- ARRAY(0x8612460) looks like a majordomo bug of some sort, you may want to look into it. I was also wondering why majordomo didn't seem to do the "auth" thing where if you try to subscribe an address that's not your 'From' it sends a random string that you send back to authorize the other email address. Do you know if i'm going to have any problems with this? Am I subscribed as alfred@freebsd.org now? thanks, -Alfred ----- Forwarded message from majordomo-owner@hub.org ----- From: majordomo-owner@hub.org Reply-To: majordomo@hub.org To: Alfred Perlstein Subject: Majordomo results: Re: B03B-5A09-D558 : CONFIRM from pgsql- Date: Mon, 21 Aug 2000 14:18:32 -0400 (EDT) Message-Id: <200008211818.e7LIIWT51880@hub.org> >>>> accept ---- ARRAY(0x8612460) >>>> * majordomo@hub.org [000821 04:25] wrote: **** Illegal command! >>>> -- Stopping at signature separator. 1 valid command processed; it is pending. ----- End forwarded message ----- -- -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] "I have the heart of a child; I keep it in a jar on my desk." From majordomo-workers-owner Mon Aug 21 12:21:32 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id MAA02897; Mon, 21 Aug 2000 12:11:28 -0700 (PDT) Received: from thelab.hub.org (nat194.159.mpoweredpc.net [142.177.194.159]) by honor.greatcircle.com (Postfix) with ESMTP id A189717E8B for ; Mon, 21 Aug 2000 12:11:21 -0700 (PDT) Received: from localhost (scrappy@localhost) by thelab.hub.org (8.9.3/8.9.3) with ESMTP id QAA48025; Mon, 21 Aug 2000 16:25:32 -0300 (ADT) (envelope-from scrappy@hub.org) X-Authentication-Warning: thelab.hub.org: scrappy owned process doing -bs Date: Mon, 21 Aug 2000 16:25:32 -0300 (ADT) From: The Hermit Hacker To: Jason L Tibbitts III Cc: majordomo-workers@GreatCircle.COM, mj2-dev@csf.colorado.edu Subject: Re: (forw) Majordomo results: Re: B03B-5A09-D558 : CONFIRM from pgsql- (fwd) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: majordomo-workers-owner@GreatCircle.COM Precedence: bulk On 21 Aug 2000, Jason L Tibbitts III wrote: > >>>>> "THH" == The Hermit Hacker writes: > > THH> got this problem report from a subscriber ... majordomo2 has been > THH> recently upgraded from CVS ... Aug 15th, to be exact ... > > Obviously at least one bug (or a busted installation); it would be nice to > have instructions on how to reproduce it. I just went through the > subscribe process via email to a test list here and it worked as expected. > > Ah, the dangers of running raw development code in production. but, development code has sooooooo many nice new features, and is generally quite stable :) and, what fun is life if you take no risks? > Anyway, this simply looks like the formatter is trying to print an > arrayref instead of a string. The last change to the formatter for the > accept routine was on Aug 18 (cvs annotate lib/Mj/Format.pm) and looks like > it might be related. okay, will update ... thanks ... From majordomo-workers-owner Mon Aug 21 13:32:29 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id NAA03527; Mon, 21 Aug 2000 13:23:56 -0700 (PDT) Received: from niner.net (niner.net [209.203.251.113]) by honor.greatcircle.com (Postfix) with ESMTP id 8225F17E8B for ; Mon, 21 Aug 2000 13:23:51 -0700 (PDT) Received: from selous-98.niner.net (van-bc56-157.netcom.ca [216.129.74.157]) by niner.net (8.9.3/8.9.3) with ESMTP id NAA01447 for ; Mon, 21 Aug 2000 13:38:11 -0700 (PDT) Network_Provider: NinerNet Communications - http://www.niner.net Message-Id: <4.3.2.7.2.20000821133216.00c8d6a0@niner.net> X-Sender: (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Mon, 21 Aug 2000 13:39:07 -0700 To: majordomo-workers@greatcircle.com From: Craig Hartnett Subject: Downloading Majordomo 2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: majordomo-workers-owner@GreatCircle.COM Precedence: bulk Hi there, I should probably be shot or flamed for this question, but I've searched the archives and the only pointers I can find for Majordomo 2 are Jason's page at http://www.hpc.uh.edu/majordomo and the CSF page at http://csf.colorado.edu/help . Neither page seems to have any information on where one can download version 2. If someone can tell me where to download it, I would be most appreciative. I did at one point have a 1.9x.x version installed on my server, but have decided to play with version 2. Thanks in advance. Craig Hartnett From majordomo-workers-owner Mon Aug 21 14:32:30 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id OAA04140; Mon, 21 Aug 2000 14:23:26 -0700 (PDT) Received: from thelab.hub.org (nat194.159.mpoweredpc.net [142.177.194.159]) by honor.greatcircle.com (Postfix) with ESMTP id 2DF4E17E8B for ; Mon, 21 Aug 2000 14:23:20 -0700 (PDT) Received: from localhost (scrappy@localhost) by thelab.hub.org (8.9.3/8.9.3) with ESMTP id SAA93241; Mon, 21 Aug 2000 18:37:34 -0300 (ADT) (envelope-from scrappy@hub.org) X-Authentication-Warning: thelab.hub.org: scrappy owned process doing -bs Date: Mon, 21 Aug 2000 18:37:34 -0300 (ADT) From: The Hermit Hacker To: Craig Hartnett Cc: majordomo-workers@GreatCircle.COM Subject: Re: Downloading Majordomo 2 In-Reply-To: <4.3.2.7.2.20000821133216.00c8d6a0@niner.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: majordomo-workers-owner@GreatCircle.COM Precedence: bulk ftp://ftp.hub.org/pub/Majordomo2 has nightly snapshots based on the CVS repository ... On Mon, 21 Aug 2000, Craig Hartnett wrote: > Hi there, > > I should probably be shot or flamed for this question, but I've searched > the archives and the only pointers I can find for Majordomo 2 are Jason's > page at http://www.hpc.uh.edu/majordomo and the CSF page at > http://csf.colorado.edu/help . Neither page seems to have any information > on where one can download version 2. > > If someone can tell me where to download it, I would be most appreciative. > I did at one point have a 1.9x.x version installed on my server, but have > decided to play with version 2. > > Thanks in advance. > > > Craig Hartnett > > Marc G. Fournier ICQ#7615664 IRC Nick: Scrappy Systems Administrator @ hub.org primary: scrappy@hub.org secondary: scrappy@{freebsd|postgresql}.org From majordomo-workers-owner Mon Aug 21 15:17:45 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id PAA04673; Mon, 21 Aug 2000 15:16:05 -0700 (PDT) Received: from epithumia.math.uh.edu (epithumia.math.uh.edu [129.7.128.2]) by honor.greatcircle.com (Postfix) with ESMTP id 58B8617E8B for ; Mon, 21 Aug 2000 15:15:59 -0700 (PDT) Received: (from tibbs@localhost) by epithumia.math.uh.edu (8.9.3/8.9.3) id RAA24591; Mon, 21 Aug 2000 17:30:18 -0500 To: Craig Hartnett Cc: majordomo-workers@GreatCircle.COM Subject: Re: Downloading Majordomo 2 References: <4.3.2.7.2.20000821133216.00c8d6a0@niner.net> From: Jason L Tibbitts III Date: 21 Aug 2000 17:30:18 -0500 In-Reply-To: Craig Hartnett's message of "Mon, 21 Aug 2000 13:39:07 -0700" Message-ID: Lines: 4 User-Agent: Gnus/5.0803 (Gnus v5.8.3) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: majordomo-workers-owner@GreatCircle.COM Precedence: bulk I guess I don't need to bother making code snapshots, because the CSF page has a link to a place where one can download nightly snapshots. - J< From majordomo-workers-owner Mon Aug 21 15:32:30 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id PAA04638; Mon, 21 Aug 2000 15:11:53 -0700 (PDT) Received: from epithumia.math.uh.edu (epithumia.math.uh.edu [129.7.128.2]) by honor.greatcircle.com (Postfix) with ESMTP id C919117E8B for ; Mon, 21 Aug 2000 15:11:46 -0700 (PDT) Received: (from tibbs@localhost) by epithumia.math.uh.edu (8.9.3/8.9.3) id RAA24578; Mon, 21 Aug 2000 17:26:05 -0500 To: Craig Hartnett Cc: majordomo-workers@GreatCircle.COM Subject: Re: Downloading Majordomo 2 References: <4.3.2.7.2.20000821133216.00c8d6a0@niner.net> From: Jason L Tibbitts III Date: 21 Aug 2000 17:26:05 -0500 In-Reply-To: Craig Hartnett's message of "Mon, 21 Aug 2000 13:39:07 -0700" Message-ID: Lines: 13 User-Agent: Gnus/5.0803 (Gnus v5.8.3) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: majordomo-workers-owner@GreatCircle.COM Precedence: bulk >>>>> "CH" == Craig Hartnett writes: CH> Hi there, I should probably be shot or flamed for this question, but CH> I've searched the archives and the only pointers I can find for CH> Majordomo 2 are Jason's page at http://www.hpc.uh.edu/majordomo and the CH> CSF page at http://csf.colorado.edu/help . Neither page seems to have CH> any information on where one can download version 2. Well, my page does have a pointer to some snapshots on my FTP site (I'll go ahead and make another) but it also has instructions on fetching the most current code via CVS. What other kind of information were you looking for? - J< From majordomo-workers-owner Mon Aug 21 17:02:30 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id QAA05509; Mon, 21 Aug 2000 16:49:36 -0700 (PDT) Received: from niner.net (niner.net [209.203.251.113]) by honor.greatcircle.com (Postfix) with ESMTP id EEE4617E8B for ; Mon, 21 Aug 2000 16:49:30 -0700 (PDT) Received: from selous-98.niner.net (van-bc58-006.netcom.ca [216.129.68.6]) by niner.net (8.9.3/8.9.3) with ESMTP id RAA10025 for ; Mon, 21 Aug 2000 17:03:54 -0700 (PDT) Network_Provider: NinerNet Communications - http://www.niner.net Message-Id: <4.3.2.7.2.20000821162935.00ca8680@niner.net> X-Sender: (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Mon, 21 Aug 2000 17:04:52 -0700 To: majordomo-workers@GreatCircle.COM From: Craig Hartnett Subject: Re: Downloading Majordomo 2 In-Reply-To: References: <4.3.2.7.2.20000821133216.00c8d6a0@niner.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: majordomo-workers-owner@GreatCircle.COM Precedence: bulk Hi there, Thanks to everyone for your responses. I guess part of my problem is that I probably shouldn't be dabbling in the developers' list, since I'm not even sure what a CVS tree is (other than it seems to me like some sort of FTP site that is somehow specifically useful in open-source software development) and I thought I read on one of the sites that the snapshots were not necessarily complete (i.e., some were "partial snapshots"). I'm not sure how I missed the link on the CSF page though -- must have been early in the morning. Anyway, I have what I believe is the latest snapshot and now I will see what kind of damage I can do to my server. I promise to RTFM before I ask any more questions, or go back to 1.94.5. Thanks again. Craig At 00:08:21 05:26 pm -0500, Jason L Tibbitts III wrote: > >>>>> "CH" == Craig Hartnett writes: > >CH> Hi there, I should probably be shot or flamed for this question, but >CH> I've searched the archives and the only pointers I can find for >CH> Majordomo 2 are Jason's page at http://www.hpc.uh.edu/majordomo and the >CH> CSF page at http://csf.colorado.edu/help . Neither page seems to have >CH> any information on where one can download version 2. > >Well, my page does have a pointer to some snapshots on my FTP site (I'll go >ahead and make another) but it also has instructions on fetching the most >current code via CVS. What other kind of information were you looking for? > > - J< From majordomo-workers-owner Wed Aug 23 08:50:01 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id IAA02946; Wed, 23 Aug 2000 08:43:41 -0700 (PDT) Received: from niner.net (niner.net [209.203.251.113]) by honor.greatcircle.com (Postfix) with ESMTP id B8FCA17E8B for ; Wed, 23 Aug 2000 08:43:36 -0700 (PDT) Received: from selous-98.niner.net (van-bc53-102.netcom.ca [216.129.65.230]) by niner.net (8.9.3/8.9.3) with ESMTP id IAA12012 for ; Wed, 23 Aug 2000 08:58:18 -0700 (PDT) Network_Provider: NinerNet Communications - http://www.niner.net Message-Id: <4.3.2.7.2.20000823085827.00d58800@wheresmymailserver.com> X-Sender: (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Wed, 23 Aug 2000 08:59:09 -0700 To: majordomo-workers@greatcircle.com From: Craig Hartnett Subject: Fwd: Mj2 Installation Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: majordomo-workers-owner@GreatCircle.COM Precedence: bulk Hi there, No response to this on the users' list, so I thought I'd try here. Craig >Date: Tue, 22 Aug 2000 18:54:57 -0700 >To: majordomo-users@greatcircle.com >From: Craig Hartnett >Subject: Mj2 Installation > >Hi there, > >If anyone here has any suggestions as to how I should answer the following >questions in the Majordomo 2 installation routine, I would appreciate it: > >1) What is the user ID that Majordomo will run as? (Either the numeric ID >or the user name is fine.) > >2) What is the group ID that Majordomo will run as? (Either the numeric ID >or the group name is fine.) > >3) What umask should Majordomo use? (The umask is the Unix method of >restricting the permissions on newly created files and directories.) > >4) Where will the Majordomo list data be kept? > >5) Where can Majordomo place secure temporary files? > >I have already had some suggestions, but more would be appreciated. I am >running a virtual server with VServers and am not a UNIX guru, but have >done enough reading to be dangerous. > >I'm guessing that the answers to questions 1 and 2 are specific to my >server, although if someone can tell me how I might arrive at answers >myself that would be great. > >There are some suggestions in the readme file for question 3, and I will >probably follow those. > >With respect to questions 4 and 5, any pointers (or pointers to where I >can find the information) on the usual directory structure for a UNIX Web >server running Apache would be appreciated -- specifically, I'd rather not >create my own directories all over the place when "usual practice" would >be to create them in a specific location, such as under the etc directory >for example. > >If this should be posted to the workers' list, my apologies. Thanks in >advance. > > >Craig Hartnett From majordomo-workers-owner Wed Aug 23 10:35:02 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id KAA03944; Wed, 23 Aug 2000 10:24:16 -0700 (PDT) Received: from epithumia.math.uh.edu (epithumia.math.uh.edu [129.7.128.2]) by honor.greatcircle.com (Postfix) with ESMTP id 730E417E8B for ; Wed, 23 Aug 2000 10:24:08 -0700 (PDT) Received: (from tibbs@localhost) by epithumia.math.uh.edu (8.9.3/8.9.3) id MAA30955; Wed, 23 Aug 2000 12:38:39 -0500 To: Craig Hartnett Cc: majordomo-workers@GreatCircle.COM Subject: Re: Fwd: Mj2 Installation References: <4.3.2.7.2.20000823085827.00d58800@wheresmymailserver.com> From: Jason L Tibbitts III Date: 23 Aug 2000 12:38:39 -0500 In-Reply-To: Craig Hartnett's message of "Wed, 23 Aug 2000 08:59:09 -0700" Message-ID: Lines: 70 User-Agent: Gnus/5.0803 (Gnus v5.8.3) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: majordomo-workers-owner@GreatCircle.COM Precedence: bulk >>>>> "CH" == Craig Hartnett writes: CH> No response to this on the users' list, so I thought I'd try here. I don't know that any of the developers keep you with the users' list; this is development software so it's best to reach us here or on the development list at mj2-dev@csf.colorado.edu. CH> I'm guessing that the answers to questions 1 and 2 are specific to my CH> server, although if someone can tell me how I might arrive at answers CH> myself that would be great. Well, you should create a user (using whatever procedure you use on your system) that Majordomo will run as. I use 'lists'. You could use anything at all; your own login would work, or even root if you really didn't care about security. The README file has this to say: Majordomo must run as a specific user on your system. Generally an account must be created (the installation process will not do this for you). Give either the name of this account or its numeric ID here. CH> There are some suggestions in the readme file for question 3, and I CH> will probably follow those. They aren't suggestions; they are the only values supported. (Well, there are some others that give everybody read and write access, but I'm sure that's not what you want.) Choose the amount of security you want. As a developer I like to poke about in the files, so I put myself in the same group as Majordomo ans use 007. You probably want 077. CH> With respect to questions 4 and 5, any pointers (or pointers to where I CH> can find the information) on the usual directory structure for a UNIX CH> Web server running Apache would be appreciated There is no "usual place". Choose a directory that is where you want it to be and which has enough space to contain the lists. The README file has this to say: ---- Where will the Majordomo libraries, executables and documentation be kept? This could be something like "/usr/local/majordomo"; Majordomo will make this directory and several directories under it to hold its various components. Note that this is not necessarily where your lists must be stored. Majordomo just needs to know where to put its executables and libraries. After installation, Majordomo will not write to this location. It can be NFS mounted or on a partition mounted read-only (after installation is complete, of course). If it is an NFS-mounted partition, however, that partition must be mounted to as to allow setuid binaries. If this is not the case, most of Majordomo will fail completely. Note that Majordomo does not install its libraries into the normal perl installation directories. ---- Where will the Majordomo list data be kept? Note that under this directory will be a directory for each domain your site supports, and under that a directory for each list at your site. Note also that this should _not_ be a directory containing lists maintained by Majordomo 1.x, as Majordomo 2 stores its lists in a different format. This should _not_ be an NFS-mounted directory, as the locking mechanism currently used by Majordomo will not function properly over NFS. This doesn't have to be in the same location as the previous directory. ---- - J< From majordomo-workers-owner Thu Aug 24 02:54:17 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id CAA13571; Thu, 24 Aug 2000 02:40:18 -0700 (PDT) Received: from niner.net (niner.net [209.203.251.113]) by honor.greatcircle.com (Postfix) with ESMTP id 7D30417E8B for ; Thu, 24 Aug 2000 02:40:06 -0700 (PDT) Received: from selous-98.niner.net (van-bc59-164.netcom.ca [216.129.75.140]) by niner.net (8.9.3/8.9.3) with ESMTP id CAA01959 for ; Thu, 24 Aug 2000 02:54:56 -0700 (PDT) Network_Provider: NinerNet Communications - http://www.niner.net Message-Id: <4.3.2.7.2.20000823171509.00b52360@niner.net> X-Sender: (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Thu, 24 Aug 2000 02:29:25 -0700 To: majordomo-workers@greatcircle.com From: Craig Hartnett Subject: Re: Mj2 Installation In-Reply-To: <39A44591.531EEBE3@netscape.com> References: <4.3.2.7.2.20000822184032.00b54b00@niner.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: majordomo-workers-owner@GreatCircle.COM Precedence: bulk Hi Sudhakar, Thanks very much for the tips. Creating users is no problem, but I'm not up on creating groups. Since I'm on a virtual server I'm not even sure if I have that option. Can I just use the same group that all of the other users on my virtual server are members of, or will that cause a problem? If it's any help the numeric ID for the group is 100 and I think the group name is "vuser". Craig At 00:08:23 02:43 pm -0700 Sudhakar Chandra wrote: >Craig Hartnett proclaimed: > > If anyone here has any suggestions as to how I should answer the following > > questions in the Majordomo 2 installation routine, I would appreciate it: > > > > 1) What is the user ID that Majordomo will run as? (Either the numeric ID > > or the user name is fine.) > > > > 2) What is the group ID that Majordomo will run as? (Either the numeric ID > > or the group name is fine.) > > >Answers to both the above questions depends on your unix system. Usually, >you should be able to find a user named majordom and a group named majordom >on a unix machine. The user is listed in /etc/passwd and the group in >/etc/group. If you don't find such a user or group listed, talk to your >sys admin. > > > 3) What umask should Majordomo use? (The umask is the Unix method of > > restricting the permissions on newly created files and directories.) > >Accept the default or 007. > > > 4) Where will the Majordomo list data be kept? > >Have something like /usr/local/majordomo2-lists/ This directory will >contain the information about the various mailing lists you create. > > > 5) Where can Majordomo place secure temporary files? > >Something like /tmp/mj or /usr/local/tmp/mj. From majordomo-workers-owner Thu Aug 24 03:06:08 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id CAA13577; Thu, 24 Aug 2000 02:40:28 -0700 (PDT) Received: from niner.net (niner.net [209.203.251.113]) by honor.greatcircle.com (Postfix) with ESMTP id C9A5D17E8E for ; Thu, 24 Aug 2000 02:40:12 -0700 (PDT) Received: from selous-98.niner.net (van-bc59-164.netcom.ca [216.129.75.140]) by niner.net (8.9.3/8.9.3) with ESMTP id CAA01965; Thu, 24 Aug 2000 02:54:58 -0700 (PDT) Network_Provider: NinerNet Communications - http://www.niner.net Message-Id: <4.3.2.7.2.20000824022443.00d07ae0@niner.net> X-Sender: (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Thu, 24 Aug 2000 02:53:07 -0700 To: Jason L Tibbitts III From: Craig Hartnett Subject: Re: Fwd: Mj2 Installation Cc: majordomo-workers@greatcircle.com In-Reply-To: References: <4.3.2.7.2.20000823085827.00d58800@wheresmymailserver.com> <4.3.2.7.2.20000823164953.00b562f0@niner.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: majordomo-workers-owner@GreatCircle.COM Precedence: bulk Hi Jason, If I can contribute in a meaningful way, I hope I can and I will. I'll start this e-mail by saying that I'm not looking for busy people to hold my hand here -- I know what it's like to be busy. However, if you think that helping someone who is reasonably intelligent and catches on quickly, but who has little knowledge of UNIX (but who remembers DOS fondly and wishes [or wonders if] there was a UNIX equivalent for F3), will help with the development of Mj2, then I'll volunteer to be a newbie guinea pig. I initially had some trouble getting "perl Makefile.PL" to work (and started writing a long e-mail about it with command outputs), but I stumbled upon something and it ran. (It seems that on my virtual server I have to use "perl5 Makefile.PL".) Unfortunately it told me I was missing a few things, which wasn't that unexpected really. I followed the instructions in the installation routine to install some modules (I'm missing six and one I have doesn't seem to be working properly) via CPAN. It looked like it was going to work, but for some reason the CPAN process hit a brick wall. Since CPAN is probably beyond the scope of this mailing list, I'll do some research on the CPAN Web site and try again in the morning. Right now I'm going to bed. :) Craig At 00:08:23 07:53 pm -0500 Jason L Tibbitts III wrote: > >>>>> "CH" == Craig Hartnett writes: > >CH> Thanks very much for your help. I'm going to install it shortly and >CH> I'll let you know how it goes. > >You're welcome. We do want to make it as easy as possible to install, so i >you can suggest improvements to anything you had trouble with, we'd greatly >appreciate it. > > - J< From majordomo-workers-owner Thu Aug 24 10:03:53 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id JAA19438; Thu, 24 Aug 2000 09:47:34 -0700 (PDT) Received: from niner.net (niner.net [209.203.251.113]) by honor.greatcircle.com (Postfix) with ESMTP id E516717E8B for ; Thu, 24 Aug 2000 09:47:27 -0700 (PDT) Received: from selous-98.niner.net (van-bc56-158.netcom.ca [216.129.74.158]) by niner.net (8.9.3/8.9.3) with ESMTP id KAA24158 for ; Thu, 24 Aug 2000 10:02:14 -0700 (PDT) Network_Provider: NinerNet Communications - http://www.niner.net Message-Id: <4.3.2.7.2.20000824095833.03b44b00@niner.net> X-Sender: (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Thu, 24 Aug 2000 10:02:55 -0700 To: majordomo-workers@greatcircle.com From: Craig Hartnett Subject: Re: Fwd: Mj2 Installation In-Reply-To: <20000824103217.B19148@risc.sps.mot.com> References: <4.3.2.7.2.20000824022443.00d07ae0@niner.net> <4.3.2.7.2.20000823164953.00b562f0@niner.net> <4.3.2.7.2.20000824022443.00d07ae0@niner.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: majordomo-workers-owner@GreatCircle.COM Precedence: bulk Hi Dave, Yes I did, but being on a virtual server I obviously don't have root access on the physical machine, but should have some sort of root access on the virtual server. The CPAN installation routine seemed to work fine, but stopped when it couldn't find a file. It didn't refuse to run because of insufficient access privileges, as far as I can tell. Craig At 00:08:24 10:32 am -0500, Dave Wolfe wrote: >[ Craig Hartnett writes: ] > > > > I initially had some trouble getting "perl Makefile.PL" to work (and > > started writing a long e-mail about it with command outputs), but I > > stumbled upon something and it ran. (It seems that on my virtual server I > > have to use "perl5 Makefile.PL".) Unfortunately it told me I was missing a > > few things, which wasn't that unexpected really. I followed the > > instructions in the installation routine to install some modules (I'm > > missing six and one I have doesn't seem to be working properly) via CPAN. > > It looked like it was going to work, but for some reason the CPAN process > > hit a brick wall. > >Did you read the part (in README) about having to have root access to be >able to install Perl modules? > >-- > Dave Wolfe From majordomo-workers-owner Thu Aug 24 12:17:32 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id MAA20952; Thu, 24 Aug 2000 12:13:53 -0700 (PDT) Received: from kachina.jetcafe.org (kachina.jetcafe.org [205.147.43.2]) by honor.greatcircle.com (Postfix) with ESMTP id D434C17E8B for ; Thu, 24 Aug 2000 12:13:47 -0700 (PDT) Received: from ee-nt.climber.org (eckert@netcom6.netcom.com [199.183.9.106]) by kachina.jetcafe.org (8.9.3/8.9.1) with ESMTP id MAA16146; Thu, 24 Aug 2000 12:28:34 -0700 (PDT) Message-Id: <4.3.1.0.20000824115717.00cb4d70@pop.climber.org> X-Sender: eckert@pop.climber.org X-Mailer: QUALCOMM Windows Eudora Version 4.3.1 Date: Thu, 24 Aug 2000 11:59:26 -0700 To: Craig Hartnett From: SRE Subject: Re: Fwd: Mj2 Installation Cc: majordomo-workers@GreatCircle.COM In-Reply-To: <4.3.2.7.2.20000824022443.00d07ae0@niner.net> References: <4.3.2.7.2.20000823085827.00d58800@wheresmymailserver.com> <4.3.2.7.2.20000823164953.00b562f0@niner.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: majordomo-workers-owner@GreatCircle.COM Precedence: bulk At 02:53 AM 8/24/00, Craig Hartnett wrote: >UNIX (but who remembers DOS fondly and wishes [or wonders if] there was a UNIX equivalent for F3) You mean repeating a command? Try "!!" from a vanilla cshell, and/or look in the help file from your favorite shell for things like "history". But really, NOTHING beats the old Apollo "display manager" where you could view, edit, and even do search/replace in your type-ahead buffer! Sigh. From majordomo-workers-owner Thu Aug 24 14:02:54 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id NAA22246; Thu, 24 Aug 2000 13:56:23 -0700 (PDT) Received: from netscape.com (h-205-217-237-47.netscape.com [205.217.237.47]) by honor.greatcircle.com (Postfix) with ESMTP id 5F94E17E8B for ; Thu, 24 Aug 2000 13:56:17 -0700 (PDT) Received: from judge.mcom.com (judge.mcom.com [205.217.237.53]) by netscape.com (8.10.0/8.10.0) with ESMTP id e7OL5MY07310 for ; Thu, 24 Aug 2000 14:05:22 -0700 (PDT) Received: from netscape.com ([208.12.45.34]) by judge.mcom.com (Netscape Messaging Server 4.15) with ESMTP id FZTEUI02.0X7 for ; Thu, 24 Aug 2000 14:11:06 -0700 Message-ID: <39A58F6A.F8233976@netscape.com> Date: Thu, 24 Aug 2000 14:11:06 -0700 From: Sudhakar Chandra Organization: A Doubleplusgood Mega Corporation X-Mailer: Mozilla 4.75b1 [en] (X11; U; Linux 2.2.17 i686) X-Accept-Language: en, fr MIME-Version: 1.0 To: majordomo-workers@GreatCircle.COM Subject: Re: Fwd: Mj2 Installation References: <4.3.2.7.2.20000823085827.00d58800@wheresmymailserver.com> <4.3.2.7.2.20000823164953.00b562f0@niner.net> <4.3.1.0.20000824115717.00cb4d70@pop.climber.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: majordomo-workers-owner@GreatCircle.COM Precedence: bulk SRE proclaimed: > But really, NOTHING beats the old Apollo "display manager" where you could > view, edit, and even do search/replace in your type-ahead buffer! Sigh. This is possible with both bash and tcsh. You can view command in your history (usually by just clicking the UP arrow on a well configured system), edit whichever command using vi or emacs keystrokes. Read the man page for bash and check out 'set -o emacs'. S. -- "You see this? [holds up Marge's hand, to permit close inspection of Marge's wedding ring] It symbolizes that she's my property, and I own her." -- Homer J. Simpson Sudhakar C13n http://www.aunet.org/thaths/ Lead Indentured Slave From majordomo-workers-owner Sat Aug 26 00:20:14 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id AAA12728; Sat, 26 Aug 2000 00:11:53 -0700 (PDT) Received: from kachina.jetcafe.org (kachina.jetcafe.org [205.147.43.2]) by honor.greatcircle.com (Postfix) with ESMTP id C46D417E8C for ; Sat, 26 Aug 2000 00:11:47 -0700 (PDT) Received: from ee-nt.climber.org (eckert@netcom11.netcom.com [199.183.9.111]) by kachina.jetcafe.org (8.9.3/8.9.1) with ESMTP id AAA01366; Sat, 26 Aug 2000 00:26:54 -0700 (PDT) Message-Id: <4.3.1.0.20000825233518.00bbf420@pop.climber.org> X-Sender: eckert@pop.climber.org X-Mailer: QUALCOMM Windows Eudora Version 4.3.1 Date: Sat, 26 Aug 2000 00:16:16 -0700 To: majordomo-workers@GreatCircle.COM, mj2-dev@csf.colorado.edu From: SRE Subject: Mj2: setuid wrappers are insecure? Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: majordomo-workers-owner@GreatCircle.COM Precedence: bulk The Mj2 README file says: >Majordomo2 includes its own setuid wrapper generation, so setuid shell >scripts are not required. I need some help finding several parts of the install code, because not all the permissions seem to be set properly and the setuid wrappers are open to exploits involving environment variables (e.g. LD_LIBRARY_PATH) according to my sysadmin. The exploit stuff is way down below... Running as dummy user "mj2", with uid=999 and gid=123, all of the install steps finish normally (no warnings, no errors) but the final result isn't good: Logged in as "mj2", I can invoke mj_shell and do stuff. Logged in as anyone else, except root, the shell cannot be started: /home/mj2/bin/mj_shell: Permission denied FIRST PROBLEM: The install procedure happily writes to a directory that no one else, including the sendmail daemon, can read. In the path above /home/mj2 had protections of 700, and whether or not /home/mj2/bin was world readable it cannot even be seen on my Solaris 2.7 box. Easy enough to fix, but can someone tell me how to fix it in install? Each branch of the install path needs to be world readable (and for directories that means world executable, I think). Please tell me if I'm wrong, but the way I got it to work here was "chmod 755 /home/mj2". Now I start wondering how this can work, since I was never root for the entire installation process and I *did* choose to install the setuid wrappers. That step SHOULD HAVE failed since my unprivileged user doesn't have setuid authority (it's not in any powerful group, it's certainly not root, etc) shouldn't it?. From the Mj2 README.DIRECTORIES file: >If the setuid wrappers were built, the actual scripts will have a >period prepended to their names. Otherwise the script itself will be >setuid. The scripts which are wrapped/made setuid will differ >depending on which MTA the system is running under. OK, let's check: >% cd /home/mj2/bin >% ls -la >total 794 >drwxr-xr-x 2 mj2 listserver 512 Aug 25 23:25 . >drwxr-xr-x 11 mj2 listserver 512 Aug 25 23:26 .. >-r-xr-xr-x 1 mj2 listserver 7252 Aug 25 23:23 .mj_confirm >-r-xr-xr-x 1 mj2 listserver 17910 Aug 25 23:23 .mj_email >-r-xr-xr-x 1 mj2 listserver 10104 Aug 25 23:23 .mj_enqueue >-r-xr-xr-x 1 mj2 listserver 23565 Aug 25 23:23 .mj_shell >-r-xr-xr-x 1 mj2 listserver 2266 Aug 25 23:23 .mj_shutdown >-r-xr-xr-x 1 mj2 listserver 23145 Aug 25 23:23 .mj_wwwadm >-r-xr-xr-x 1 mj2 listserver 22660 Aug 25 23:23 .mj_wwwusr >-r-s--s--x 1 mj2 listserver 36692 Aug 25 23:23 mj_confirm >-r-s--s--x 1 mj2 listserver 36680 Aug 25 23:23 mj_email >-r-s--s--x 1 mj2 listserver 36692 Aug 25 23:23 mj_enqueue >-r-xr-xr-x 1 mj2 listserver 21850 Aug 25 23:23 mj_queuerun >-r-xr-xr-x 1 mj2 listserver 7578 Aug 25 23:23 mj_queueserv >-r-s--s--x 1 mj2 listserver 36680 Aug 25 23:23 mj_shell >-r-s--s--x 1 mj2 listserver 36696 Aug 25 23:23 mj_shutdown >-r-xr-xr-x 1 mj2 listserver 4058 Aug 25 23:23 mj_trigger >-r-s--s--x 1 mj2 listserver 36692 Aug 25 23:23 mj_wwwadm >-r-s--s--x 1 mj2 listserver 36692 Aug 25 23:23 mj_wwwusr SECOND PROBLEM? A couple of entries in the bin directory are not wrappers? Are mj_queuerun and mj_queueserv so safe they don't need wrappers, or is this just an oversight? It took me a bit to find the wrappers directory, but here's mj_shell.c : >main(ac, av) > char **av; >{ > execv("/home/mj2/bin/.mj_shell", av); >} THIRD PROBLEM: I didn't find the compile command line, but I don't think the binary is stripped or that there is any checking of the environment variables. I've been handed a wrapper.c, which my sysadmin says is based on the original Majordomo, that has a bunch of sanity and security checking before it calls "execve(prog, argv, new_env);" - but I'll spare you all the boring details for now. Can anyone comment on safe environments for Mj2? Can't I just set a malicious environment that replaces shared library paths and all that, then write a little perl script that calls the wrappers to become mj2 and fiddle about? FOURTH PROBLEM: Really a question: Since I finished the install NOT EVER BEING ROOT, and since the wrappers supposedly do a setuid, does this mean that using "su" to become the server process ID is safer than using "su" to become root for the installation? Obviously the mail daemon needs to have access to the files, but only to run the wrappers, right? From then on, Mj2 just reads and writes to directories that it owns, no? So why does the install procedure suggest being root? Is that safe? SRE mailto:eckert@climber.org | http://www.climber.org/eckert/ Info on peak climbing email lists mailto:info@climber.org Before email, five carbon copies were the maximum extension of anybody's ego. From majordomo-workers-owner Sat Aug 26 02:55:15 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id CAA14860; Sat, 26 Aug 2000 02:28:42 -0700 (PDT) Received: from blueyonder.co.uk (pcow028o.blueyonder.co.uk [195.188.53.124]) by honor.greatcircle.com (Postfix) with ESMTP id B1C7F17E8C for ; Sat, 26 Aug 2000 02:28:32 -0700 (PDT) Received: from 300gl ([213.48.39.179]) by blueyonder.co.uk with Microsoft SMTPSVC(5.5.1877.197.19); Sat, 26 Aug 2000 10:44:42 +0100 From: geoff.cox@cableinet.co.uk To: majordomo-workers@GreatCircle.COM Date: Sat, 26 Aug 2000 10:42:28 +0100 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: V2 where is it? Message-ID: <39A79F14.16297.A8BF04@localhost> X-mailer: Pegasus Mail for Win32 (v3.12c) Sender: majordomo-workers-owner@GreatCircle.COM Precedence: bulk Hello, can someone please point me at v2 majordomo? Thanks Geoff From majordomo-workers-owner Sat Aug 26 13:04:44 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id MAA22345; Sat, 26 Aug 2000 12:48:54 -0700 (PDT) Received: from niner.net (niner.net [209.203.251.113]) by honor.greatcircle.com (Postfix) with ESMTP id C672917E8C for ; Sat, 26 Aug 2000 12:48:46 -0700 (PDT) Received: from selous-98.niner.net (van-bc64-069.netcom.ca [216.129.71.69]) by niner.net (8.9.3/8.9.3) with ESMTP id NAA04697 for ; Sat, 26 Aug 2000 13:04:03 -0700 (PDT) Network_Provider: NinerNet Communications - http://www.niner.net Message-Id: <4.3.2.7.2.20000826130010.00cfdd70@niner.net> X-Sender: (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Sat, 26 Aug 2000 13:03:16 -0700 To: majordomo-workers@GreatCircle.COM From: Craig Hartnett Subject: Re: V2 where is it? In-Reply-To: <39A79F14.16297.A8BF04@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: majordomo-workers-owner@GreatCircle.COM Precedence: bulk Hi Geoff, Sites at http://csf.colorado.edu/help and http://www.hpc.uh.edu/majordomo. Nightly snapshots at ftp://ftp.hub.org/pub/Majordomo2/ . Craig At 00:08:26 10:42 am +0100, geoff.cox@cableinet.co.uk wrote: >Hello, > >can someone please point me at v2 majordomo? > >Thanks > >Geoff From majordomo-workers-owner Sat Aug 26 13:19:29 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id MAA22351; Sat, 26 Aug 2000 12:49:06 -0700 (PDT) Received: from niner.net (niner.net [209.203.251.113]) by honor.greatcircle.com (Postfix) with ESMTP id 1B2D017EB3 for ; Sat, 26 Aug 2000 12:48:56 -0700 (PDT) Received: from selous-98.niner.net (van-bc64-069.netcom.ca [216.129.71.69]) by niner.net (8.9.3/8.9.3) with ESMTP id NAA04686 for ; Sat, 26 Aug 2000 13:04:02 -0700 (PDT) Network_Provider: NinerNet Communications - http://www.niner.net Message-Id: <4.3.2.7.2.20000826122545.00caced0@niner.net> X-Sender: (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Sat, 26 Aug 2000 12:28:23 -0700 To: majordomo-workers@greatcircle.com From: Craig Hartnett Subject: Re: Fwd: Mj2 Installation In-Reply-To: <4.3.1.0.20000824115717.00cb4d70@pop.climber.org> References: <4.3.2.7.2.20000824022443.00d07ae0@niner.net> <4.3.2.7.2.20000823085827.00d58800@wheresmymailserver.com> <4.3.2.7.2.20000823164953.00b562f0@niner.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: majordomo-workers-owner@GreatCircle.COM Precedence: bulk Thanks! That works just great. Craig At 00:08:24 11:59 am -0700, SRE wrote: >At 02:53 AM 8/24/00, Craig Hartnett wrote: > >UNIX (but who remembers DOS fondly and wishes [or wonders if] there was > a UNIX equivalent for F3) > >You mean repeating a command? Try "!!" from a vanilla cshell, and/or look >in the help file from your favorite shell for things like "history". > >But really, NOTHING beats the old Apollo "display manager" where you could >view, edit, and even do search/replace in your type-ahead buffer! Sigh. From majordomo-workers-owner Sat Aug 26 17:04:55 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id QAA24633; Sat, 26 Aug 2000 16:58:53 -0700 (PDT) Received: from epithumia.math.uh.edu (epithumia.math.uh.edu [129.7.128.2]) by honor.greatcircle.com (Postfix) with ESMTP id 5AABC17E8C for ; Sat, 26 Aug 2000 16:58:48 -0700 (PDT) Received: (from tibbs@localhost) by epithumia.math.uh.edu (8.9.3/8.9.3) id TAA06876; Sat, 26 Aug 2000 19:14:03 -0500 To: SRE Cc: majordomo-workers@GreatCircle.COM, mj2-dev@csf.colorado.edu Subject: Re: setuid wrappers are insecure? References: <4.3.1.0.20000825233518.00bbf420@pop.climber.org> From: Jason L Tibbitts III Date: 26 Aug 2000 19:14:03 -0500 In-Reply-To: SRE's message of "Sat, 26 Aug 2000 00:16:16 -0700" Message-ID: Lines: 93 User-Agent: Gnus/5.0803 (Gnus v5.8.3) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: majordomo-workers-owner@GreatCircle.COM Precedence: bulk >>>>> "S" == SRE writes: S> I need some help finding several parts of the install code, because not S> all the permissions seem to be set properly and the setuid wrappers are S> open to exploits involving environment variables (e.g. LD_LIBRARY_PATH) S> according to my sysadmin. The exploit stuff is way down below... The setuid wrappers we use are the ones the Perl authors suggest. setuid shell scripts may be insecure, but that's why we have the wrappers. S> Logged in as anyone else, except root, the shell cannot be started: S> /home/mj2/bin/mj_shell: Permission denied Yep. As expected. S> FIRST PROBLEM: The install procedure happily writes to a directory that S> no one else, including the sendmail daemon, can read. Yep. This is as expected. You can't really expect it to work otherwise. S> SECOND PROBLEM? A couple of entries in the bin directory are not S> wrappers? Are mj_queuerun and mj_queueserv so safe they don't need S> wrappers, or is this just an oversight? Only programs which must be run by users or by the MTA (depending on the MTA) need to be setuid. Those programs are neither, thus there is no reason for them to be setuid. The same goes for mj_trigger, since it is to be run from the Majordomo user's crontab. S> THIRD PROBLEM: I didn't find the compile command line, but I don't think S> the binary is stripped or that there is any checking of the environment S> variables. There shouldn't be, really. LD_LIBRARY_PATH, if your system was stupid enough to actually pay attention to it for setuid executables, would have already come into play. And the rest of the environment is tainted by Perl. (And any special environment variables which Perl might pay attention to are ignored because Perl is being run from a setuid program.) S> Can anyone comment on safe environments for Mj2? It's not just Mj2. We are following the advice explicitly given to us by the Perl developers. If Mj2 is insecure _because of those methods_ (not because of any boneheaded coding errors that we made elsewhere) then the problem is very large indeed, because the method in use is the accepted one according to people who know lots more about security then I do. S> FOURTH PROBLEM: Really a question: Since I finished the install NOT EVER S> BEING ROOT, and since the wrappers supposedly do a setuid, does this S> mean that using "su" to become the server process ID is safer than using S> "su" to become root for the installation? More likely you're just not able to do the appropriate chmod and your stuff really isn't setuid. The bottom line: no offense to SRE, but I don't believe you're qualified to do a security audit. I'm not really either, but in any case, the method you're critiquing was given to me by folks like Larry Wall (I asked explicitly if the suggested stuff has stood up to thorough review), so if you're going to say that it is fundamentally flawed, then I'd like more concrete explanations of the involved exploits. Anything else really is FUD. For further reading, I suggest the "perlsec" manpage. Here's a relevant portion: However, if the kernel set-id script feature isn't disabled, Perl will complain loudly that your set-id script is insecure. You'll need to either disable the kernel set-id script feature, or put a C wrapper around the script. A C wrapper is just a compiled program that does nothing except call your Perl program. Compiled programs are not subject to the kernel bug that plagues set-id scripts. Here's a simple wrapper, written in C: #define REAL_PATH "/path/to/script" main(ac, av) char **av; { execv(REAL_PATH, av); } Compile this wrapper into a binary executable and then make it rather than your script setuid or setgid. See the program wrapsuid in the eg directory of your Perl distribution for a convenient way to do this automatically for all your setuid Perl programs. It moves setuid scripts into files with the same name plus a leading dot, and then compiles a wrapper like the one above for each of them. Note how our behavior follows _exactly_ that described here. - J< From majordomo-workers-owner Sat Aug 26 22:19:20 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id WAA27127; Sat, 26 Aug 2000 22:06:17 -0700 (PDT) Received: from kachina.jetcafe.org (kachina.jetcafe.org [205.147.43.2]) by honor.greatcircle.com (Postfix) with ESMTP id 28D4617E8C for ; Sat, 26 Aug 2000 22:06:11 -0700 (PDT) Received: from ee-nt.climber.org (eckert@netcom12.netcom.com [199.183.9.112]) by kachina.jetcafe.org (8.9.3/8.9.1) with ESMTP id WAA09866; Sat, 26 Aug 2000 22:21:10 -0700 (PDT) Message-Id: <4.3.1.0.20000826213456.00bba7c0@pop.climber.org> X-Sender: eckert@pop.climber.org X-Mailer: QUALCOMM Windows Eudora Version 4.3.1 Date: Sat, 26 Aug 2000 21:46:20 -0700 To: Jason L Tibbitts III From: SRE Subject: Re: setuid wrappers are insecure? Cc: majordomo-workers@GreatCircle.COM, mj2-dev@csf.colorado.edu In-Reply-To: References: <4.3.1.0.20000825233518.00bbf420@pop.climber.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: majordomo-workers-owner@GreatCircle.COM Precedence: bulk S> Logged in as anyone else, except root, the shell cannot be started: S> /home/mj2/bin/mj_shell: Permission denied At 05:14 PM 8/26/00, Jason L Tibbitts III wrote: >Yep. As expected. What may have been lost in my post was that once the directory permissions are fixed, ANYONE can run mj_shell. The permission denied was NOT a setuid problem or a safety kicking in, it was an inability to read the directory containing the Mj2 "bin" directory. >S> FIRST PROBLEM: The install procedure happily writes to a directory that >S> no one else, including the sendmail daemon, can read. > >Yep. This is as expected. You can't really expect it to work otherwise. Really? There's code which purports to check for proper readability, but it doesn't work. I'm not sure HOW to check, but we ought to at least warn the installer that (every, or just one?) directory above the target directory must have a "chmod" done on it, and that our install procedure won't guarantee a running mail server without it. >S> THIRD PROBLEM: I didn't find the compile command line, but I don't think >S> the binary is stripped or that there is any checking of the environment >S> variables. > >There shouldn't be, really. LD_LIBRARY_PATH, if your system was stupid >enough to actually pay attention to it for setuid executables, would have >already come into play. And the rest of the environment is tainted by >Perl. (And any special environment variables which Perl might pay >attention to are ignored because Perl is being run from a setuid program.) I'm not sure I understand that, but I guess I'll believe that you've looked into it and we're all OK. If I'm close to understanding, you're saying that any setuid program receives special treatment from the operating system, and the environment is ignored for the life of that setuid program? That surprises me, but it certainly could be true. >It's not just Mj2. We are following the advice explicitly given to us by >the Perl developers. If Mj2 is insecure _because of those methods_ (not >because of any boneheaded coding errors that we made elsewhere) then the >problem is very large indeed, because the method in use is the accepted one >according to people who know lots more about security then I do. Got it. >S> FOURTH PROBLEM: Really a question: Since I finished the install NOT EVER >S> BEING ROOT, and since the wrappers supposedly do a setuid, does this >S> mean that using "su" to become the server process ID is safer than using >S> "su" to become root for the installation? > >More likely you're just not able to do the appropriate chmod and your stuff >really isn't setuid. Have a look at the "ls -l" I sent. It is INDEED setuid, and I was never root. The secret seems to be that it's "setuid mj2", not "setuid root", and since I was logged in as user "mj2" it all worked. >The bottom line: no offense to SRE, but I don't believe you're qualified to >do a security audit. I'm not! I'm passing on concerns from my sysadmin. I stated my ignorance up front, and don't want you to interpret any of this as an attack. Even my subject line is a question, because I'm just not sure about it... so when I'm unsure, I tend to ask a lot of questions. Would it be better to tell installers to switch to the userid under which the server will run while installing, instead of telling them to be root? I can think of several HUGE benefits of this: First, my sysadmin will never let me be root but he's OK with me being "the server process" for a while (because that user has no ability to read/write outside its file space, unlike root). Second, an errant install procedure can't do as much damage when the user running it isn't root (even if you know what you're doing and you own the system, it's better to do things as the least privileged user which can get the job done). Note that this would be a doc change only, no change to the software itself. I'm asking if we should prominently point out that you DO NOT need to be root. SRE mailto:eckert@climber.org | http://www.climber.org/eckert/ Info on peak climbing email lists mailto:info@climber.org "A free society is one where it is safe to be unpopular." -- Adlai Stevenson From majordomo-workers-owner Sun Aug 27 16:35:09 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id QAA08372; Sun, 27 Aug 2000 16:23:31 -0700 (PDT) Received: from niner.net (niner.net [209.203.251.113]) by honor.greatcircle.com (Postfix) with ESMTP id A1F1017E8B for ; Sun, 27 Aug 2000 16:23:24 -0700 (PDT) Received: from selous-98.niner.net (van-bc54-064.netcom.ca [216.129.66.64]) by niner.net (8.9.3/8.9.3) with ESMTP id QAA10069 for ; Sun, 27 Aug 2000 16:38:52 -0700 (PDT) Network_Provider: NinerNet Communications - http://www.niner.net Message-Id: <4.3.2.7.2.20000827163811.00bf06b0@niner.net> X-Sender: (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Sun, 27 Aug 2000 16:38:45 -0700 To: majordomo-workers@greatcircle.com From: Craig Hartnett Subject: Mj2 Installation Output Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: majordomo-workers-owner@GreatCircle.COM Precedence: bulk niner: {7} % perl5 Makefile.PL Checking for Mail::Internet (v1.3) not found **** Majordomo requires Mail::Internet version 1.3 or greater! Checking for Mail::Header (v1.1) not found **** Majordomo requires Mail::Header version 1.1 or greater! Checking for MIME::Base64 (v2) ok: found v2.11 Checking for IO::Wrap (v1.101) not found **** Majordomo requires IO::Wrap version 1.101 or greater! Checking for MIME::Tools (v4.119) not found **** Majordomo requires MIME::Tools version 4.119 or greater! Checking for Data::Dumper (v2.07) ok: found v2.101 Checking for Date::Manip (v5.1) not found **** Majordomo requires Date::Manip version 5.1 or greater! Checking for CGI (v2.36) ok: found v2.46 Checking for MD5 (v1.7) ok: found v2.00 Checking for IO::Socket (v1.1602) ok: found v1.1603 Checking for IO::File (any) ok: found v1.06021 Checking for IO::Handle (any) ok: found v1.1505 Checking for Date::Format (any) ok: found v2.09 Checking for Date::Parse (any) ok: found v2.09 Checking for DirHandle (any) ok: found unknown version Checking for Safe (any) ok: found v2.06 Checking for POSIX (any) ok: found v1.02 Checking for Net::Domain (any) not found **** Majordomo requires Net::Domain (any version). Checking for File::Copy (any) ok: found v2.02 Checking for Fcntl (any) ok: found v1.03 Checking for Carp (any) ok: found unknown version Checking for Time::Local (any) ok: found unknown version Checking for DB_File (v1.63) not found Some modules which Majordomo requires were not found. You should fetch them from a CPAN site of your choice, or, if the CPAN module is properly set up, you can install them by running the following commands as a user capable of installing modules: perl -MCPAN -e'CPAN::Shell->install("Mail::Internet")' perl -MCPAN -e'CPAN::Shell->install("Mail::Header")' perl -MCPAN -e'CPAN::Shell->install("IO::Wrap")' perl -MCPAN -e'CPAN::Shell->install("MIME::Tools")' perl -MCPAN -e'CPAN::Shell->install("Date::Manip")' perl -MCPAN -e'CPAN::Shell->install("Net::Domain")' Checking for Sys::Syslog and headers **** Majordomo needs a properly configured Perl system. We tried to use the Sys::Syslog module, but it failed with the following error: Can't locate syslog.ph in @INC (did you run h2ph?) (@INC contains: /usr/local/li b/perl5/5.00503/i386-bsdos /usr/local/lib/perl5/5.00503 /usr/local/lib/perl5/sit e_perl/5.005/i386-bsdos /usr/local/lib/perl5/site_perl/5.005 .) at /usr/local/li b/perl5/5.00503/Sys/Syslog.pm line 117. Errors here are generally problems with the Perl installation. Sys::Syslog requires the file syslog.ph, which is supposed to be generated by running the h2ph program. If syslog.ph was not found, it can be generated by executing the following as root: cd /usr/include;h2ph * sys/* Some machines may additionally require h2ph machine/* and possibly other directories. If there was a syntax error, it is possible that h2ph generated improper code. This should be investigated and possibly reported to the perl developers. Consult the Perl documentation for further information. Majordomo will not run until this is fixed. Majordomo cannot run without its prerequisite modules. niner: {8} % From majordomo-workers-owner Sun Aug 27 16:50:09 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id QAA08377; Sun, 27 Aug 2000 16:23:40 -0700 (PDT) Received: from niner.net (niner.net [209.203.251.113]) by honor.greatcircle.com (Postfix) with ESMTP id BEC1317E8C for ; Sun, 27 Aug 2000 16:23:24 -0700 (PDT) Received: from selous-98.niner.net (van-bc54-064.netcom.ca [216.129.66.64]) by niner.net (8.9.3/8.9.3) with ESMTP id QAA10061 for ; Sun, 27 Aug 2000 16:38:50 -0700 (PDT) Network_Provider: NinerNet Communications - http://www.niner.net Message-Id: <4.3.2.7.2.20000827163519.00bbb480@wheresmymailserver.com> X-Sender: (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Sun, 27 Aug 2000 16:36:57 -0700 To: majordomo-workers@greatcircle.com From: Craig Hartnett Subject: Fwd: Re: Fwd: Mj2 Installation Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: majordomo-workers-owner@GreatCircle.COM Precedence: bulk Hi there, This is my third attempt to send this to the list. Perhaps there is a size limit to messages, so I have stripped the two outputs I included at the end of the message and will send them separately. Craig >Date: Sun, 27 Aug 2000 02:12:05 -0700 >To: majordomo-workers@greatcircle.com >From: Craig Hartnett >Subject: Re: Fwd: Mj2 Installation > >Hi Dave, > >Sorry to take so long to respond. By the way, the snapshot I am working >with is the August 24th one from ftp://ftp.hub.org/pub/Majordomo2/ . > > >At 00:08:24 03:58 pm -0500, Dave Wolfe wrote: >>[ Craig Hartnett writes: ] >> > >> > [...] I obviously don't have root access on the physical machine, but >> > should have some sort of root access on the virtual server. >> >>I don't know what that means. Either you have write privileges where >>you're installing modules or you don't. > >True. As it turns out, the company that hosts my virtual server (VServers) >says: > >"For some things, you do have the access to install modules, depending on >what it's demands are. As a whole, I would say that the permissions you >are currently granted would not be enough to install this. As for >installing this for you, we cannot do that due to the shared nature of the >system. Installing programs, modules, etc may lead to security issues as >well as undesired operation on other VServers." > >So it would seem that as a virtual server user I am SOL. I'm going to >pursue it a bit more though from a technical standpoint, as well as from a >sales standpoint. While Mj2 is technically still in alpha, I think that if >VServers wants to remain the virtual hosting leader they claim they are, >they should be looking to the future and providing support for "bleeding >edge" technology such as Mj2. My options now appear to be to go back to >version 1, or use Mailman (which I have been looking at). However, since I >don't have permission to install PERL modules, I'm wondering if I'll be >able to install Python (which Mailman requires). > > >> > The CPAN installation routine seemed to work fine, but stopped when it >> > couldn't find a file. >> >>Don't keep us in suspense any longer, which file couldn't it find? I >>suspect what's happening is that the module you're trying to install has >>a dependency on another module that isn't installed. > >Perhaps. I didn't want to burden this list with PERL / CPAN issues, but >I'll include the output I saved at the end of this message. > > >> > It didn't refuse to run because of insufficient access privileges, as >> > far as I can tell. >> >>I would expect CPAN to fail in the module install phase if you weren't >>running it as root. Check the logs very carefully for indications of >>failure, it spews out a lot of messages and it's easy to miss. > >I'm only familiar with the Web and FTP logs. Is this a different log? >Where might I be able to find it? > > >>`perl5 -V:installsitelib' will tell you the default installation >>directory. `ls -ld that_directory' (substituting appropriately) will >>tell you the permissions and owner of that directory. Or are you using >>the PREFIX= option to install locally? If you'll give us some details >>it might make it possible for someone on the list to help you. > >niner: {14} % perl5 -V:installsitelib >installsitelib='/usr/local/lib/perl5/site_perl/5.005'; >niner: {15} % cd ~/usr/local/lib/perl5/site_perl/5.005 >niner: {16} % pwd >/usr/home/niner/usr/local/lib/perl5/site_perl/5.005 >niner: {17} % ls -ld >drwxr-xr-x 18 niner vuser 512 Nov 5 1999 . > >And, as promised, here's some output for you. First is the output from the >attempt to install Mj2: Sent in next message. Craig Hartnett From majordomo-workers-owner Sun Aug 27 17:05:09 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id QAA08378; Sun, 27 Aug 2000 16:23:41 -0700 (PDT) Received: from niner.net (niner.net [209.203.251.113]) by honor.greatcircle.com (Postfix) with ESMTP id 13D7C17E8D for ; Sun, 27 Aug 2000 16:23:30 -0700 (PDT) Received: from selous-98.niner.net (van-bc54-064.netcom.ca [216.129.66.64]) by niner.net (8.9.3/8.9.3) with ESMTP id QAA10081 for ; Sun, 27 Aug 2000 16:38:55 -0700 (PDT) Network_Provider: NinerNet Communications - http://www.niner.net Message-Id: <4.3.2.7.2.20000827163848.00bf4670@niner.net> X-Sender: (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Sun, 27 Aug 2000 16:39:42 -0700 To: majordomo-workers@greatcircle.com From: Craig Hartnett Subject: PERL Module Installation via CPAN Output Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: majordomo-workers-owner@GreatCircle.COM Precedence: bulk niner: {4} % perl5 -MCPAN -e'CPAN::Shell->install("Mail::Internet")' We have to reconfigure CPAN.pm due to following uninitialized parameters: urllist /usr/home/niner/.cpan/CPAN/MyConfig.pm initialized. CPAN is the world-wide archive of perl resources. It consists of about 100 sites that all replicate the same contents all around the globe. Many countries have at least one CPAN site already. The resources found on CPAN are easily accessible with the CPAN.pm module. If you want to use CPAN.pm, you have to configure it properly. If you do not want to enter a dialog now, you can answer 'no' to this question and I'll try to autoconfigure. (Note: you can revisit this dialog anytime later by typing 'o conf init' at the cpan prompt.) Are you ready for manual configuration? [yes] The following questions are intended to help you with the configuration. The CPAN module needs a directory of its own to cache important index files and maybe keep a temporary mirror of CPAN files. This may be a site-wide directory or a personal directory. I see you already have a directory /root/.cpan Shall we use it as the general CPAN build and cache directory? CPAN build and cache directory? [/root/.cpan] Couldn't find directory /root/.cpan or directory is not writable. Please retry. CPAN build and cache directory? [/root/.cpan] .cpan If you want, I can keep the source files after a build in the cpan home directory. If you choose so then future builds will take the files from there. If you don't want to keep them, answer 0 to the next question. How big should the disk cache be for keeping the build directories with all the intermediate files? Cache size for build directory (in MB)? [10] By default, each time the CPAN module is started, cache scanning is performed to keep the cache size in sync. To prevent from this, disable the cache scanning with 'never'. Perform cache scanning (atstart or never)? [atstart] The CPAN module can detect when a module that which you are trying to build depends on prerequisites. If this happens, it can build the prerequisites for you automatically ('follow'), ask you for confirmation ('ask'), or just ignore them ('ignore'). Please set your policy to one of the three values. Policy on building prerequisites (follow, ask or ignore)? [follow] The CPAN module will need a few external programs to work properly. Please correct me, if I guess the wrong path for a program. Don't panic if you do not have some of them, just press ENTER for those. Where is your gzip program? [/usr/contrib/bin/gzip] Where is your tar program? [/bin/tar] Where is your unzip program? [/usr/contrib/bin/unzip] Where is your make program? [/usr/bin/make] Where is your lynx program? [/usr/local/bin/lynx] Warning: ncftpget not found in PATH Where is your ncftpget program? [] Where is your ncftp program? [/usr/local/bin/ncftp] Where is your ftp program? [/usr/bin/ftp] What is your favorite pager program? [/usr/local/bin/less] What is your favorite shell? [/bin/csh] Every Makefile.PL is run by perl in a separate process. Likewise we run 'make' and 'make install' in processes. If you have any parameters (e.g. PREFIX, INSTALLPRIVLIB, UNINST or the like) you want to pass to the calls, please specify them here. If you don't understand this question, just press ENTER. Parameters for the 'perl Makefile.PL' command? [] Parameters for the 'make' command? [] Parameters for the 'make install' command? [] Sometimes you may wish to leave the processes run by CPAN alone without caring about them. As sometimes the Makefile.PL contains question you're expected to answer, you can set a timer that will kill a 'perl Makefile.PL' process after the specified time in seconds. If you set this value to 0, these processes will wait forever. This is the default and recommended setting. Timeout for inactivity during Makefile.PL? [0] If you're accessing the net via proxies, you can specify them in the CPAN configuration or via environment variables. The variable in the $CPAN::Config takes precedence. Your ftp_proxy? Your http_proxy? Your no_proxy? You have no .cpan/sources/MIRRORED.BY I'm trying to fetch one CPAN: LWP::UserAgent loaded ok Fetching with LWP: ftp://ftp.perl.org/pub/CPAN/MIRRORED.BY Fetching with LWP: ftp://ftp.perl.org/pub/CPAN/MIRRORED.BY.gz Please, install Net::FTP as soon as possible. CPAN.pm installs it for you if you just type install Bundle::libnet Trying with "/usr/local/bin/lynx -source" to get ftp://ftp.perl.org/pub/CPAN/MIRRORED.BY Now we need to know where your favorite CPAN sites are located. Push a few sites onto the array (just in case the first on the array won't work). If you are mirroring CPAN to your local workstation, specify a file: URL. First, pick a nearby continent and country (you can pick several of each, separated by spaces, or none if you just want to keep your existing selections). Then, you will be presented with a list of URLs of CPAN mirrors in the countries you selected, along with previously selected URLs. Select some of those URLs, or just keep the old list. Finally, you will be prompted for any extra URLs -- file:, ftp:, or http: -- that host a CPAN mirror. (1) Africa (2) Asia (3) Australasia (4) Central America (5) Europe (6) North America (7) South America Select your continent (or several nearby continents) [] 6 (1) Canada (2) Mexico (3) United States Select your country (or several nearby countries) [] 1 (1) ftp://cpan.chebucto.ns.ca/pub/CPAN/ (2) ftp://ftp.crc.ca/pub/packages/lang/perl/CPAN/ (3) ftp://sunsite.ualberta.ca/pub/Mirror/CPAN/ (4) ftp://theoryx5.uwinnipeg.ca/pub/CPAN/ Select as many URLs as you like [] 3 Enter another URL or RETURN to quit: [] New set of picks: ftp://sunsite.ualberta.ca/pub/Mirror/CPAN/ commit: wrote /usr/home/niner/.cpan/CPAN/MyConfig.pm Trying with "/usr/local/bin/lynx -source" to get ftp://sunsite.ualberta.ca/pub/Mirror/CPAN/authors/01mailrc.txt.gz sh: /usr/bin/gzip: not found System call "/usr/local/bin/lynx -source 'ftp://sunsite.ualberta.ca/pub/Mirror/C PAN/authors/01mailrc.txt.gz' > .cpan/sources/authors/01mailrc.txt" returned status 0 (wstat 0) Trying with "/usr/local/bin/ncftp -c" to get ftp://sunsite.ualberta.ca/pub/Mirror/CPAN/authors/01mailrc.txt.gz Going to read .cpan/sources/authors/01mailrc.txt.gz Trying with "/usr/local/bin/lynx -source" to get ftp://sunsite.ualberta.ca/pub/Mirror/CPAN/modules/02packages.details.txt.gz sh: /usr/bin/gzip: not found System call "/usr/local/bin/lynx -source 'ftp://sunsite.ualberta.ca/pub/Mirror/C PAN/modules/02packages.details.txt.gz' > .cpan/sources/modules/02packages.detai ls.txt" returned status 0 (wstat 0) Trying with "/usr/local/bin/ncftp -c" to get ftp://sunsite.ualberta.ca/pub/Mirror/CPAN/modules/02packages.details.txt.gz Going to read .cpan/sources/modules/02packages.details.txt.gz Scanning cache .cpan/build for sizes There's a new CPAN.pm version (v1.57) available! You might want to try install Bundle::CPAN reload cpan without quitting the current session. It should be a seamless upgrade while we are running... Trying with "/usr/local/bin/lynx -source" to get ftp://sunsite.ualberta.ca/pub/Mirror/CPAN/modules/03modlist.data.gz sh: /usr/bin/gzip: not found System call "/usr/local/bin/lynx -source 'ftp://sunsite.ualberta.ca/pub/Mirror/C PAN/modules/03modlist.data.gz' > .cpan/sources/modules/03modlist.data" returned status 0 (wstat 0) Trying with "/usr/local/bin/ncftp -c" to get ftp://sunsite.ualberta.ca/pub/Mirror/CPAN/modules/03modlist.data.gz Going to read .cpan/sources/modules/03modlist.data.gz Running make for G/GB/GBARR/MailTools-1.1401.tar.gz Trying with "/usr/local/bin/lynx -source" to get ftp://sunsite.ualberta.ca/pub/Mirror/CPAN/authors/id/G/GB/GBARR/MailTools-1. 1401.tar.gz CPAN: MD5 loaded ok Trying with "/usr/local/bin/lynx -source" to get ftp://sunsite.ualberta.ca/pub/Mirror/CPAN/authors/id/G/GB/GBARR/CHECKSUMS .cpan/sources/authors/id/G/GB/GBARR/MailTools-1.1401.tar.gz: No such file or dir ectory Checksum mismatch for distribution file. Please investigate. Distribution id = G/GB/GBARR/MailTools-1.1401.tar.gz CALLED_FOR Mail::Internet CPAN_USERID GBARR (Graham Barr ) MD5_STATUS localfile .cpan/sources/authors/id/G/GB/GBARR/MailTools-1.1401.tar.gz I'd recommend removing .cpan/sources/authors/id/G/GB/GBARR/MailTools-1.1401.tar.gz. It seems to be a bogus file. Maybe you have configured your `urllist' with a bad URL. Please check this array with `o conf urllist', and retry. sh: cannot open .cpan/sources/authors/id/G/GB/GBARR/MailTools-1.1401.tar.gz: no such file tar: End of archive volume 1 reached ATTENTION! tar archive volume change required. Ready for archive volume: 1 Input archive name or "." to quit tar. Archive name > Empty file name, try again Input archive name or "." to quit tar. Archive name > idunno tar: Failed open to read on idunno Cannot open idunno, try again Input archive name or "." to quit tar. Archive name > . Quitting tar! tar: Sorry, unable to determine archive format. Could not open >.cpan/build/GBARR000/Makefile.PL at /usr/local/lib/perl5/5.00503 /CPAN.pm line 4006 niner: {5} % From majordomo-workers-owner Sun Aug 27 22:03:53 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id VAA10725; Sun, 27 Aug 2000 21:47:52 -0700 (PDT) Received: from epithumia.math.uh.edu (epithumia.math.uh.edu [129.7.128.2]) by honor.greatcircle.com (Postfix) with ESMTP id EB60817E8B for ; Sun, 27 Aug 2000 21:47:47 -0700 (PDT) Received: (from tibbs@localhost) by epithumia.math.uh.edu (8.9.3/8.9.3) id AAA28034; Mon, 28 Aug 2000 00:03:15 -0500 To: Craig Hartnett Cc: majordomo-workers@GreatCircle.COM Subject: Re: Fwd: Re: Fwd: Mj2 Installation References: <4.3.2.7.2.20000827163519.00bbb480@wheresmymailserver.com> From: Jason L Tibbitts III Date: 28 Aug 2000 00:03:15 -0500 In-Reply-To: Craig Hartnett's message of "Sun, 27 Aug 2000 16:36:57 -0700" Message-ID: Lines: 53 User-Agent: Gnus/5.0803 (Gnus v5.8.3) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: majordomo-workers-owner@GreatCircle.COM Precedence: bulk >>>>> "CH" == Craig Hartnett writes: CH> So it would seem that as a virtual server user I am SOL. It's too difficult to quote your self-quotes, so I'll just comment without context. Firstly, you'll have an easier time reaching the mj2 developers at mj2-dev@csf.colorado.edu. That software is run by Mj2 and doesn't have the same lag or limitations as this list. Plus, you get to try out the software as a user. Secondly, it's important to note that even though we want to help you get the software going on your unconventional setup, we don't know enough about how it works to help you. The problem with Perl modules can be overcome by getting Perl to look somewhere else for additional modules. [1] You could even build your own copy that looks only in your directories. I don't know what MTA (mail transfer agent, i.e. Sendmail) your hosting service uses; they probably have an unconventional setup there as well that needs to be worked around. Many MTAs force us to install executables setuid to get everything running as the proper user, and I really doubt that they'd let you install setuid binaries. Even then, if certain guarantees are met by the MTA (mainly that it _always_ calls our executables as a single user that you have access to) then we can get by without the setuid requirement. This is complicated by the web-based components, because the web browser must also call them as the _same_ user. In other words, everything must run as one user, regardless of whether it is called from the command line (mj_shell), the MTA (mj_email) or the web (mj_confirm, mj_wwwadm, mj_wwwusr). The bottom line is that our software is designed to be installed _by your hosting company_. You can be given a virtual domain from there and allowed to run your own lists in it; the software supports an unlimited number of completely separate virtual domains. But that doesn't mean it is impossible to get it to work in your situation. - J< 1) We already do this to get our executables do load in all of our special modules. You could just install your modules in the same place that Majordomo will install its own. Or you could help us hack the install process a bit. Close to the beginning of any of the Majordomo executables, just after the BEGIN block, you'll see: use lib "$::LIBDIR"; Change that to use lib "$::LIBDIR", "/path/to/your/modules" and you're set. Getting this to happen automatically in the appropriate circumstances requires more hacking, but isn't impossible. From majordomo-workers-owner Sun Aug 27 23:17:37 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id XAA11492; Sun, 27 Aug 2000 23:14:38 -0700 (PDT) Received: from kachina.jetcafe.org (kachina.jetcafe.org [205.147.43.2]) by honor.greatcircle.com (Postfix) with ESMTP id EB39517EB4 for ; Sun, 27 Aug 2000 23:14:32 -0700 (PDT) Received: from ee-nt.climber.org (eckert@netcom2.netcom.com [199.183.9.102]) by kachina.jetcafe.org (8.9.3/8.9.1) with ESMTP id XAA17672; Sun, 27 Aug 2000 23:30:00 -0700 (PDT) Message-Id: <4.3.1.0.20000827231500.00ba0bd0@pop.climber.org> X-Sender: eckert@pop.climber.org X-Mailer: QUALCOMM Windows Eudora Version 4.3.1 Date: Sun, 27 Aug 2000 23:23:03 -0700 To: Craig Hartnett From: SRE Subject: Re: Fwd: Re: Fwd: Mj2 Installation Cc: majordomo-workers@GreatCircle.COM In-Reply-To: <4.3.2.7.2.20000827163519.00bbb480@wheresmymailserver.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: majordomo-workers-owner@GreatCircle.COM Precedence: bulk At 04:36 PM 8/27/00, Craig Hartnett wrote: >So it would seem that as a virtual server user I am SOL. I'm going to pursue >it a bit more though from a technical standpoint, as well as from a sales >standpoint. Why? Because they won't let you be root? Try installing a copy of Mj2 where you tell it you want it to setuid to your regular login userid when it runs as a server. Make sure that userid has full access to the directories you're using, and make sure that world has read/execute on every directory above them. Just do this as a test, not a real running system, unless you're really brave. It seemed to work for me, and I'm still trying to figure out why I don't have to be root to install (when everyone says I do have to be). Seems to be running... From majordomo-workers-owner Sun Aug 27 23:32:33 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id XAA11486; Sun, 27 Aug 2000 23:14:32 -0700 (PDT) Received: from kachina.jetcafe.org (kachina.jetcafe.org [205.147.43.2]) by honor.greatcircle.com (Postfix) with ESMTP id C8D5B17E8B for ; Sun, 27 Aug 2000 23:14:25 -0700 (PDT) Received: from ee-nt.climber.org (eckert@netcom2.netcom.com [199.183.9.102]) by kachina.jetcafe.org (8.9.3/8.9.1) with ESMTP id XAA17668; Sun, 27 Aug 2000 23:29:48 -0700 (PDT) Message-Id: <4.3.1.0.20000827225056.00bbb240@pop.climber.org> X-Sender: eckert@pop.climber.org X-Mailer: QUALCOMM Windows Eudora Version 4.3.1 Date: Sun, 27 Aug 2000 23:12:47 -0700 To: Michael Yount From: SRE Subject: Re: Mj2: Re: setuid wrappers are insecure? Cc: majordomo-workers@GreatCircle.COM, mj2-dev@csf.colorado.edu In-Reply-To: References: <4.3.1.0.20000826213456.00bba7c0@pop.climber.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: majordomo-workers-owner@GreatCircle.COM Precedence: bulk At 08:04 AM 8/27/00, Michael Yount wrote: >A quick search yesterday turned up a somewhat dated explanation of >potential linking problems with LD_LIBRARY_PATH and LD_PRELOAD on linux. > http://lwn.net/lwn/980212/ldconfusion.html >I'd be interested to see the modified wrapper.c. Perhaps >it contains some useful ideas. Below is forwarded text and a copy of the suggested C source code. I believe the issue has evoked religious fervor, so I don't know if it's worth pursuing. I'm kind of sorry I asked, but will press on given that there has been one request for information (even though there has also been a rejection before it has been reviewed). The "useful idea" you're looking for is either - complete control of the environment BEFORE starting the perl script - checking of UID/GID to make sure they are as the installer intended Jason says all shared lib and environment exploits would happen before your wrapper code gets to execute. Is that true? Then the wrapper executes a perl script with an unknown environment and another chance for shared lib exploits. The C file below takes complete control before the scripts start firing up the perl processor... where things like the perl module include path are up for grabs with uncontrolled environment variables. Please don't take my word for it. I'm just ASKING, not TELLING, and I am guessing (from the strength of the response) that this question has been asked before. Just think about it with an open mind, and I'll believe whatever you and Jason decide. I'm not contributing much code to Mj2, mostly help files and a bit of sanity checking. One last thing: Keep in mind that I installed a usable copy of Mj2 WITHOUT EVER BEING ROOT. That wasn't supposed to be possible, but it's running as we speak. I haven't turned real users loose on it because I'm doing this sanity check first, but I'm still asking whether the Mj2 install procedure should recommend running as root or recommend running as the server (su to the UID that the wrappers will use when they are executed). It appears, at least on FreeBSD, that a regular user can create wrappers that setuid to that user when they are executed by anyone: Is there any reason to be root when building the wrappers? No answer yet. >Attached please find a modified copy of "wrapper.c" which came with the >original majordomo. You can use this to generate a setuid wrapper by >(example is mj_shell, you need one per program going into /etc/aliases): > >1) Compiling like so: > >cc -DPROG=\"/path/to/mj_shell\" -DPOSIX_UID= -DPOSIX_GID= -o mj_shell wrapper.c > >where X is the UID and Y is the GID that you want mj_shell to -really- run under. > >2) Manually setuid the wrapper to root. > >The wrapper will now execute the specified program with a sane environment vector. /* * WRAPPER.C - Originally derived from majordomo v1.xx source - See Majordomo v1.xx source * for licensing stuff...as long as you are freeware or open source I don't think there will * be a problem. Don't try to sell this, it's not cool, and very easy to write something similar * from scratch for that purpose. * * Pretty standard stuff here, allows execution of arbitrary programs from /etc/aliases * where YOU pick the setuid owner. Sanitizes environment variables * * Modified 01/12/98 - dave@jetcafe.org - add old RUID and RGID to do even more security checks * */ #include #include #include #include #if defined(sun) && defined(sparc) #include #endif #ifndef STRCHR # include # define STRCHR(s,c) strchr(s,c) #endif #ifndef BIN # define BIN "/usr/local/bin" #endif #ifndef PATH # define PATH "PATH=/bin:/usr/bin:/usr/ucb:/usr/local" #endif #ifndef HOME # define HOME "HOME=/" #endif #ifndef SHELL # define SHELL "SHELL=/bin/sh" #endif #ifndef PROG # define PROG "YouDidNotDefineAProgram,Dummy!" #endif char * new_env[] = { HOME, /* 0 */ PATH, /* 1 */ SHELL, /* 2 */ 0, /* possibly for USER or LOGNAME */ 0, /* possible for LOGNAME */ 0, /* possibly for timezone */ 0, /* other */ 0, /* other */ 0, /* other */ 0, /* other */ 0, /* other */ 0, /* other */ 0, /* other */ 0, /* other */ 0, /* other */ 0 }; int new_env_size = 14; /* to prevent overflow problems */ main(argc, argv, env) int argc; char * argv[]; char * env[]; { char * prog, * ticket; int e, i; struct passwd *userent; if (argv[1] == NULL) { fprintf(stderr,"usage: complete \n"); exit(EX_OSERR); } if ((prog = (char *) malloc(strlen(BIN) + strlen(PROG) + 2)) == NULL) { fprintf(stderr, "%s: error: malloc failed\n", argv[0]); exit(EX_OSERR); } sprintf(prog, "%s/%s", BIN, PROG); /* copy the "USER=" and "LOGNAME=" envariables into the new environment, * if they exist. */ e = 3; /* the first unused slot in new_env[] */ for (i = 0 ; env[i] != NULL && e <= new_env_size; i++) { if ((strncmp(env[i], "USER=", 5) == 0) || (strncmp(env[i], "TZ=", 3) == 0) || (strncmp(env[i], "LOGNAME=", 8) == 0) ) { new_env[e++] = env[i]; } } if ((ticket = (char *) malloc(strlen(argv[1]) + 10)) == NULL) { fprintf(stderr, "%s: error: malloc failed\n", argv[0]); exit(EX_OSERR); } /* * Add old real and effective ids to env for future use */ userent = getpwuid(getuid()); if (userent != NULL) { char *entry; if ((entry = (char *) malloc(strlen(userent->pw_name) + 10)) == NULL) { fprintf(stderr, "%s: error: malloc failed\n", argv[0]); exit(EX_OSERR); } sprintf(entry,"RUID=%s",userent->pw_name); new_env[e++] = entry; } userent = getpwuid(geteuid()); if (userent != NULL) { char *entry; if ((entry = (char *) malloc(strlen(userent->pw_name) + 10)) == NULL) { fprintf(stderr, "%s: error: malloc failed\n", argv[0]); exit(EX_OSERR); } sprintf(entry,"EUID=%s",userent->pw_name); new_env[e++] = entry; } #if defined(SETGROUP) /* renounce any previous group memberships if we are running as root */ if (geteuid() == 0) { /* Should I exit if this test fails? */ char *setgroups_used = "setgroups_was_included"; /* give strings a hint */ #if defined(MAIL_GID) int groups[] = { POSIX_GID, MAIL_GID, 0 }; if (setgroups(2, groups) == -1) { #else int groups[] = { POSIX_GID, 0 }; if (setgroups(1, groups) == -1) { #endif extern int errno; fprintf(stderr, "%s: error setgroups failed errno %d", argv[0], errno); } } #endif #ifdef POSIX_GID setgid(POSIX_GID); #else setgid(getegid()); #endif #ifdef POSIX_UID setuid(POSIX_UID); #else setuid(geteuid()); #endif if ((getuid() != geteuid()) || (getgid() != getegid())) { fprintf(stderr, "%s: error: Not running with proper UID and GID.\n", argv[0]); fprintf(stderr, " Make certain that wrapper is installed setuid, and if so,\n"); fprintf(stderr, " recompile with POSIX flags.\n"); exit(EX_SOFTWARE); } execve(prog, argv, new_env); /* the exec should never return */ fprintf(stderr, "wrapper: Trying to exec %s failed: ", prog); perror(NULL); fprintf(stderr, " HOME is %s,\n", HOME); fprintf(stderr, " PATH is %s,\n", PATH); fprintf(stderr, " SHELL is %s,\n", SHELL); fprintf(stderr, " PROG is %s\n", PROG); fprintf(stderr, " BIN is %s\n", BIN); exit(EX_OSERR); } SRE mailto:eckert@climber.org | http://www.climber.org/eckert/ Info on peak climbing email lists mailto:info@climber.org "A free society is one where it is safe to be unpopular." -- Adlai Stevenson From majordomo-workers-owner Mon Aug 28 17:02:34 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id QAA23523; Mon, 28 Aug 2000 16:54:33 -0700 (PDT) Received: from kachina.jetcafe.org (kachina.jetcafe.org [205.147.43.2]) by honor.greatcircle.com (Postfix) with ESMTP id 5B19E17EB3 for ; Mon, 28 Aug 2000 16:54:26 -0700 (PDT) Received: from ee-nt.climber.org (eckert@netcom6.netcom.com [199.183.9.106]) by kachina.jetcafe.org (8.9.3/8.9.1) with ESMTP id RAA25152; Mon, 28 Aug 2000 17:09:59 -0700 (PDT) Message-Id: <4.3.1.0.20000828164001.00ce7c90@pop.climber.org> X-Sender: eckert@pop.climber.org X-Mailer: QUALCOMM Windows Eudora Version 4.3.1 Date: Mon, 28 Aug 2000 17:04:38 -0700 To: majordomo-workers@GreatCircle.COM, mj2-dev@csf.colorado.edu From: SRE Subject: demonstration: setuid wrappers are insecure? In-Reply-To: References: <200008280830.BAA26974@hokkshideh.jetcafe.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: majordomo-workers-owner@GreatCircle.COM Precedence: bulk At 06:36 AM 8/28/00, Jason L Tibbitts III wrote: >Then any setuid executable at all is vulnerable, and sanitizing the >environment isn't going to help because you have exploited the linker, not >our code. This is the explanation I've received several times; please show >me how it is wrong if it is wrong. OK, I looked at setting the environment variable PERL5LIB to replace one of the Majordomo modules, but Perl traps setuid scripts (and apparently notices that it's a setuid wrapper running the Mj2 scripts) so that fails. Then, after a minute or two, I thought of this non-malicious change: % echo '/bin/ls -l /usr/local/majordomo/bin' > /home/usr/eckert/tryme % chmod 777 /home/usr/eckert/tryme % setenv EDITOR /home/usr/eckert/tryme % /usr/local/majordomo/bin/mj_shell -p XXX configedit GLOBAL total 196 -r-s--s--x 1 mdomo lists 8808 Aug 9 21:35 mj_confirm -r-s--s--x 1 mdomo lists 8808 Aug 9 21:35 mj_email -r-s--s--x 1 mdomo lists 8808 Aug 9 21:35 mj_enqueue -r-xr-xr-x 1 mdomo lists 21945 Aug 9 18:40 mj_queuerun -r-xr-xr-x 1 mdomo lists 7610 Aug 9 18:40 mj_queueserv -r-s--s--x 1 mdomo lists 8808 Aug 9 21:35 mj_shell -r-s--s--x 1 mdomo lists 8808 Aug 9 21:35 mj_shutdown -r-xr-xr-x 1 mdomo lists 4133 Aug 9 18:40 mj_trigger -r-s--s--x 1 mdomo lists 8808 Aug 9 21:35 mj_wwwadm -r-s--s--x 1 mdomo lists 8808 Aug 9 21:35 mj_wwwusr File unchanged; not executing. Note that mj_shell is now executing my shell script instead of running an editor. Oops, but no big deal. One can only guess whether other things are possible, but given how easy this one was to find and demonstrate, I'm guessing others will find others! OK, so I got Mj2 to replace a command with my own shell script by passing the hard path to the shell script as an environment variable. I'm not saying THIS example is dangerous, but given one example of an environment variable that replaces the configedit command with a shell script I wrote as an unprivileged user, isn't it POSSIBLE that there are worse exploits out there waiting? I'm still not saying we need to change the wrappers, I'm just responding to the request for a demonstration. I didn't exploit the linker, the operating system, or the wrapper, I directly exploited our (Mj2) perl code (Majordomo.pm). If you were to toss the environment in the wrapper, this wouldn't be possible. Greater minds than mine can debate whether that needs to be addressed. SRE mailto:eckert@climber.org | http://www.climber.org/eckert/ Info on peak climbing email lists mailto:info@climber.org "A free society is one where it is safe to be unpopular." -- Adlai Stevenson From majordomo-workers-owner Mon Aug 28 20:02:38 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id TAA25048; Mon, 28 Aug 2000 19:58:57 -0700 (PDT) Received: from epithumia.math.uh.edu (epithumia.math.uh.edu [129.7.128.2]) by honor.greatcircle.com (Postfix) with ESMTP id 5643117E8C for ; Mon, 28 Aug 2000 19:58:52 -0700 (PDT) Received: (from tibbs@localhost) by epithumia.math.uh.edu (8.9.3/8.9.3) id WAA30942; Mon, 28 Aug 2000 22:14:29 -0500 To: majordomo-workers@GreatCircle.COM, mj2-dev@csf.colorado.edu Subject: Re: demonstration: setuid wrappers are insecure? References: <200008280830.BAA26974@hokkshideh.jetcafe.org> <4.3.1.0.20000828164001.00ce7c90@pop.climber.org> From: Jason L Tibbitts III Date: 28 Aug 2000 22:14:29 -0500 In-Reply-To: SRE's message of "Mon, 28 Aug 2000 17:04:38 -0700" Message-ID: Lines: 78 User-Agent: Gnus/5.0803 (Gnus v5.8.3) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: majordomo-workers-owner@GreatCircle.COM Precedence: bulk >>>>> "S" == SRE writes: S> Note that mj_shell is now executing my shell script instead of running S> an editor. It runs this script as you. So you don't get to do anything that you couldn't do in the first place. Look: XYX:morpheus:~/mj/2.0> ls -l /tmp/a -rwxrwxr-x 1 tibbs tibbs 26 Aug 28 20:57 /tmp/a* XYX:morpheus:~/mj/2.0> cat /tmp/a #!/bin/sh touch /tmp/file XYX:morpheus:~/mj/2.0> rm /tmp/file XYX:morpheus:~/mj/2.0> mj_shell -p XXX configedit test digests File unchanged; not executing. XYX:morpheus:~/mj/2.0> ls -l /tmp/file -rw-r----- 1 tibbs tibbs 0 Aug 28 20:59 /tmp/file So I can create, change and delete files that I could already do those things to in the first place. Making use of EDITOR is very common in the UNIX world; I just copied exactly what the crontab program does. And look at crontab: XYX:morpheus:~/mj/2.0> ls -l /usr/bin/crontab -rwsr-xr-x 1 root root 21816 Sep 10 1999 /usr/bin/crontab* Ooh, setuid root. XYX:morpheus:~/mj/2.0> rm /tmp/file XYX:morpheus:~/mj/2.0> crontab -e crontab: no changes made to crontab XYX:morpheus:~/mj/2.0> ls -l /tmp/file -rw-rw-r-- 1 tibbs tibbs 0 Aug 28 21:01 /tmp/file S> OK, so I got Mj2 to replace a command with my own shell script by S> passing the hard path to the shell script as an environment S> variable. That's the whole point of paying attention to EDITOR. You're making it do what it is supposed to be doing. You can set EDITOR=/usr/bin/emacs or /bin/vi or /path/to/my_shell_script_that_calls_vi_with_args or /path/to/script_that_deletes_my_files, although if you did the latter then it would be your own fault, not ours. S> I'm not saying THIS example is dangerous, but given one example of an S> environment variable that replaces the configedit command with a shell S> script I wrote as an unprivileged user, isn't it POSSIBLE that there are S> worse exploits out there waiting? Anything is possible, but your example isn't useful in showing this one way or the other. S> I'm still not saying we need to change the wrappers, I'm just responding S> to the request for a demonstration. I didn't exploit the linker, the S> operating system, or the wrapper, I directly exploited our (Mj2) perl S> code (Majordomo.pm). But you haven't exploited anything. (Unless you use exploit to mean "make use of".) S> If you were to toss the environment in the wrapper, this wouldn't be S> possible. Precisely. And I and a bunch of other folks would be plenty pissed that we can't set our editors. - J< From majordomo-workers-owner Tue Aug 29 06:32:44 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id GAA03702; Tue, 29 Aug 2000 06:27:38 -0700 (PDT) Received: from kachina.jetcafe.org (kachina.jetcafe.org [205.147.43.2]) by honor.greatcircle.com (Postfix) with ESMTP id EB61917E8B for ; Tue, 29 Aug 2000 06:27:31 -0700 (PDT) Received: from ee-nt.climber.org (eckert@netcom12.netcom.com [199.183.9.112]) by kachina.jetcafe.org (8.9.3/8.9.1) with ESMTP id GAA05329; Tue, 29 Aug 2000 06:42:56 -0700 (PDT) Message-Id: <4.3.1.0.20000829062536.00bd09f0@pop.climber.org> X-Sender: eckert@pop.climber.org X-Mailer: QUALCOMM Windows Eudora Version 4.3.1 Date: Tue, 29 Aug 2000 06:36:16 -0700 To: Jason L Tibbitts III From: SRE Subject: Re: Mj2: Re: demonstration: setuid wrappers are insecure? Cc: majordomo-workers@GreatCircle.COM, mj2-dev@csf.colorado.edu In-Reply-To: References: <200008280830.BAA26974@hokkshideh.jetcafe.org> <4.3.1.0.20000828164001.00ce7c90@pop.climber.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: majordomo-workers-owner@GreatCircle.COM Precedence: bulk At 08:14 PM 8/28/00, Jason L Tibbitts III wrote: >It runs this script as you. So you don't get to do anything that you >couldn't do in the first place. Hmmm. I thought this was a setuid script. If it sometimes runs as the server id and sometimes runs as the user id, I'm surprised and confused. Hopefully it will always run as the user id when it's doing anything that might be unsafe. I dunno how to verify one way or the other. >That's the whole point of paying attention to EDITOR. You're making it do >what it is supposed to be doing. [snip] >Anything is possible, but your example isn't useful in showing this one way >or the other. It's never possible to prove something doesn't exist, so no one can ever say any program is totally safe. I understand that. What I'm not clear on is why it's desirable to let arbitrary environment variables exist when there is so much code thaat no one has ever scanned for defects. All the CPAN modules required by Mj2 get updated regularly, and I don't know what back doors have been left in them by the various authors. I do know that I was unaware of the EDITOR variable's use in Mj2 until I scanned the code for %ENV, so I presume there are similar environment variables I still don't know about in Mj2 and in the modules it uses. My only concern was that the issue receive a full hearing. I'm not the one who should say what the final decision is. I'm sort of between you and my sysadmin, trying to make everyone happy. Is there a list of environment variables that are INTENTIONALLY used by Mj2 ? What would happen if an anxious system administrator re-wrote the wrappers to delete all environmment variables and change BOTH the effective and real uid/gid ? If no damage is done by being more conservative, how about a "paranoid" option during install that sets the wrappers up more conservatively? SRE mailto:eckert@climber.org | http://www.climber.org/eckert/ Info on peak climbing email lists mailto:info@climber.org It may be that your whole purpose in life is simply to serve as a warning to others. From majordomo-workers-owner Tue Aug 29 07:33:07 2000 Received: (majordom@localhost) by honor.greatcircle.com (8.8.5/Honor-Lists-980720-1) id HAA04230; Tue, 29 Aug 2000 07:24:55 -0700 (PDT) Received: from epithumia.math.uh.edu (epithumia.math.uh.edu [129.7.128.2]) by honor.greatcircle.com (Postfix) with ESMTP id B7E9817E8B for ; Tue, 29 Aug 2000 07:24:50 -0700 (PDT) Received: (from tibbs@localhost) by epithumia.math.uh.edu (8.9.3/8.9.3) id JAA32353; Tue, 29 Aug 2000 09:40:37 -0500 To: majordomo-workers@GreatCircle.COM, mj2-dev@csf.colorado.edu Subject: Re: Mj2: Re: demonstration: setuid wrappers are insecure? References: <200008280830.BAA26974@hokkshideh.jetcafe.org> <4.3.1.0.20000828164001.00ce7c90@pop.climber.org> <4.3.1.0.20000829062536.00bd09f0@pop.climber.org> From: Jason L Tibbitts III Date: 29 Aug 2000 09:40:36 -0500 In-Reply-To: SRE's message of "Tue, 29 Aug 2000 06:36:16 -0700" Message-ID: Lines: 54 User-Agent: Gnus/5.0803 (Gnus v5.8.3) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: majordomo-workers-owner@GreatCircle.COM Precedence: bulk >>>>> "S" == SRE writes: S> Hmmm. I thought this was a setuid script. It is, but it is careful to drop privileges before calling the editor. S> If it sometimes runs as the server id and sometimes runs as the user id, S> I'm surprised and confused. It does. This is part of the basic UNIX security model. S> It's never possible to prove something doesn't exist, so no one can ever S> say any program is totally safe. There is a whole branch of computer science related to proving the correctness of programs, but that doesn't scale to any system this big (i.e. the OS, Perl, Majordomo, and the Internet all together). S> What I'm not clear on is why it's desirable to let arbitrary environment S> variables exist when there is so much code thaat no one has ever scanned S> for defects. I don't believe I've said that it's desirable. Up until yesterday I had maintained that someone needed to come up with a good reason for doing it besides nebulous statements that there might be problems, maybe, but we can't find one. (After all, Perl has extensive mechanisms in place to make sure that problems don't exist, and if we can't trust Perl then we have a basic underlying flaw that essentially invalidates our entire suite of software.) But Dave explained his position yesterday well enough that I understood it and agreed with it. S> Is there a list of environment variables that are INTENTIONALLY used by S> Mj2 ? No. I started a list in my reply to Dave, but I don't know enough about the web stuff to know what use it makes of the environment. (I suspect quite a bit.) Everyone here should feel free to add to that list. S> What would happen if an anxious system administrator re-wrote the S> wrappers to delete all environmment variables and change BOTH the S> effective and real uid/gid ? Then the editing portion of mj_shell would fail (because of the wrapper screwing with the UID when it's not supposed to) and the CGI scripts would stop working completely because they rely heavily on fetching stuff from the environment. I think the email stuff would keep working, assuming that your MTA requires the wrapper in the first place. Neither the CGI or shell interfaces could save much useful information in the session log. So basically you remove a lot of the features that actually make the software useful. - J<