Milter-greylist

Have been a while absent, everything concerning milter-greylist just 
running fine :-) 
Now I'm rolling out our first servers with CentOS 4.2 and hit a compile 
problem, make says:

gcc -g -O2 -Wall -I/usr/pkg/include -D_BSD_SOURCE   -c -o 
milter-greylist.o milter-greylist.c
In file included from acl.h:51,
                 from milter-greylist.c:71:
pending.h:75: error: syntax error before "pending_lock"
pending.h:75: warning: type defaults to `int' in declaration of 
`pending_lock'
pending.h:75: warning: data definition has no type or storage class


As I know some here are running CentOS, so can anyone shed some light on 
this error and how to fix it?

That line is "extern pthread_rwlock_t pending_lock;" Could this be a 
thread-safety issue? I installed lib_spf2 for spf as I always do. I can't 
believe the Suse Linux resolver is thread-safe but the CentOS/RHEL one is 
not. Do I need to install some library (sendmail-devel is installed)?

An issue with gcc?

Thanks!

Kai

-- 
Kai Sch\ufffdtzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com

Kai Schaetzl wrote on Tue, 21 Mar 2006 23:45:54 +0100:

> gcc -g -O2 -Wall -I/usr/pkg/include -D_BSD_SOURCE   -c -o 
> milter-greylist.o milter-greylist.c

Problem solved. My first make showed that libmilter was missing on the 
system, so I installed sendmail-devel and ran make again. That was not 
enough. After make clean and a new configure the gcc command is different 
now, it's got this additional compile flag -D_XOPEN_SOURCE=500.


Kai

-- 
Kai Sch\ufffdtzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com

Hm, next problem. When starting up I get 

/usr/local/bin/milter-greylist: cannot change supplementary groups: 
Operation not permitted

My first chosen user daemon indeed has several secondary groups, so I 
changed the user to smmsp. Still that error. group smmsp has a password. I 
changed to user mail, that user's primary group doesn't have a password 
and it doesn't have secondary groups. Still no go. I donated it a real 
login shell. Still no go. What's causing this?


Kai

-- 
Kai Sch\ufffdtzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com

Kai Schaetzl wrote on Wed, 22 Mar 2006 00:51:38 +0100:

> /usr/local/bin/milter-greylist: cannot change supplementary groups: 
> Operation not permitted

My bad. When moving over the mail spool I had accidently changed 
permissions on /var/spool.

Kai

-- 
Kai Sch\ufffdtzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com

Kai Schaetzl wrote on Thu, 23 Mar 2006 01:31:16 +0100:

> > /usr/local/bin/milter-greylist: cannot change supplementary groups: 
> > Operation not permitted 
>  
> My bad. When moving over the mail spool I had accidently changed 
> permissions on /var/spool.

I spoke too soon. I confused it with another problem I had and only that 
was actually fixed. I'm still getting this. It seems to be a very uncommon 
error message since searching on Google Groups reveals not a single 
posting on it. I tried if it works with user root and that is okay but not 
desirable, of course.

Kai

-- 
Kai Sch\ufffdtzl, Berlin, Germany

Kai Schaetzl wrote on Wed, 22 Mar 2006 00:51:38 +0100:

> /usr/local/bin/milter-greylist: cannot change supplementary groups: 
> Operation not permitted 
>  
> My first chosen user daemon indeed has several secondary groups, so I 
> changed the user to smmsp. Still that error. group smmsp has a password. I 
> changed to user mail, that user's primary group doesn't have a password 
> and it doesn't have secondary groups. Still no go. I donated it a real 
> login shell. Still no go. What's causing this?

I wanted to revisit this problem today and fix it. milter-greylist had been 
running as root for the last days. At least that is what I thought.

from /etc/init.d/greylist:
user="root"
daemon --user=$user /usr/local/bin/milter-greylist $OPTIONS

from greylist.conf:
user="smmsp"

ps says it's indeed running as user smmsp. However, when I change to 
user="smmsp" in the init file I get the supplementary groups error. Also, 
usually the startup parameters take precedence over greylist.conf.

Isn't that weird?

Kai

-- 
Kai Sch\ufffdtzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com

Kai Schaetzl <maillists@...> wrote:

> My first chosen user daemon indeed has several secondary groups, so I
> changed the user to smmsp. Still that error. group smmsp has a password. I
> changed to user mail, that user's primary group doesn't have a password
> and it doesn't have secondary groups. Still no go. I donated it a real
> login shell. Still no go. What's causing this?

This is the offending code (milter-greylist.c):

#ifdef HAVE_INITGROUPS
                if (initgroups(conf.c_user, pw->pw_gid) != 0) {
                        syslog(LOG_ERR, "%s: cannot change "
                            "supplementary groups: %s\n",
                            argv[0], strerror(errno)); 
                        exit(EX_OSERR);
                }
#endif

Proposed fixes:
1) Make it a warning and don't exit

2) Make a runtime configure test and undef HAVE_INITGROUPS if initgroups
gets a EPERM. But that would be tricky since configure is not run as
user smmsp.

3) Understand what's wrong here. What does your initgroup man page says
about EPERM? 

-- 
Emmanuel Dreyfus
Un bouquin en français sur BSD:
http://www.eyrolles.com/Informatique/Livre/9782212114638/livre-bsd.php
manu@netbsd.org

wrote on Wed, 29 Mar 2006 00:02:24 +0200:

> This is the offending code (milter-greylist.c): 

Ah, uh, oh, great! I didn't ever consider this is in milter-greylist code. 
I thought that is a general Linux message and something must be 
misconfigured. Just what?

>  
> #ifdef HAVE_INITGROUPS 
>                if (initgroups(conf.c_user, pw->pw_gid) != 0) { 
>                        syslog(LOG_ERR, "%s: cannot change " 
>                            "supplementary groups: %s\n", 
>                            argv[0], strerror(errno)); 
>                        exit(EX_OSERR); 
>                } 
> #endif 

Question: is it necessary at all? Isn't the first group sufficient? Well, 
probably a dumb question, but I don't know much about this ;-)
I wonder why I'm the only one until now who hit this. I know there are 
several people here who use milter-greylist on CentOS and "smmsp" seems to 
be the default user for it.

>  
> Proposed fixes: 
> 1) Make it a warning and don't exit 
>  
> 2) Make a runtime configure test and undef HAVE_INITGROUPS if initgroups 
> gets a EPERM. But that would be tricky since configure is not run as 
> user smmsp. 

What about adding a configure switch --without-initgroups?

>  
> 3) Understand what's wrong here. What does your initgroup man page says 
> about EPERM?

Nothing that we not already know :-(

RETURN VALUE
       The  initgroups()  function  returns  0  on success, or -1 if an 
error occurs.

ERRORS
       EPERM  The calling process does not have sufficient privileges.

       ENOMEM Insufficient memory to allocate group information structure.

Here are the passwd and group lines if that helps to identify any 
irregularities.

smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin

smmsp:x:51:


Kai

-- 
Kai Sch\ufffdtzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com

Kai Schaetzl <maillists@...> wrote:

> > #ifdef HAVE_INITGROUPS 
> >                if (initgroups(conf.c_user, pw->pw_gid) != 0) { 
> >                        syslog(LOG_ERR, "%s: cannot change " 
> >                            "supplementary groups: %s\n", 
> >                            argv[0], strerror(errno)); 
> >                        exit(EX_OSERR); 
> >                } 
> > #endif 
> 
> Question: is it necessary at all? Isn't the first group sufficient? Well,
> probably a dumb question, but I don't know much about this ;-)

Well it's not nescessary, since it's ifdef'ed. You can tweak config.h to
remove HAVE_INITGROUPS. For a right fix, I'm tempted to turn it into a
warking, but I'd like an input from others. Why do we need initgroups? 

-- 
Emmanuel Dreyfus
Le cahier de l'admin BSD 2eme ed. est dans toutes les bonnes librairies
http://www.eyrolles.com/Informatique/Livre/9782212114638/livre-bsd.php
manu@...

Kai Schaetzl wrote:
 > Kai Schaetzl wrote:
 > > /usr/local/bin/milter-greylist: cannot change supplementary groups: 
 > > Operation not permitted 
 > >  
 > > My first chosen user daemon indeed has several secondary groups, so I 
 > > changed the user to smmsp. Still that error. group smmsp has a password. I 
 > > changed to user mail, that user's primary group doesn't have a password 
 > > and it doesn't have secondary groups. Still no go. I donated it a real 
 > > login shell. Still no go. What's causing this?
 > 
 > I wanted to revisit this problem today and fix it. milter-greylist had been 
 > running as root for the last days. At least that is what I thought.
 > 
 > from /etc/init.d/greylist:
 > user="root"
 > daemon --user=$user /usr/local/bin/milter-greylist $OPTIONS
 > 
 > from greylist.conf:
 > user="smmsp"
 > 
 > ps says it's indeed running as user smmsp. However, when I change to 
 > user="smmsp" in the init file I get the supplementary groups error. Also, 
 > usually the startup parameters take precedence over greylist.conf.
 > 
 > Isn't that weird?

No, it isn't.  The init.d script starts milter-greylist as
root (using the daemon tool).  Then milter-greylist itself
switches its user ID to smmsp as specified in the .conf
file (which is only possible when it had been started as
root in the first place, of course).

As you might know, initgroups() is not a standard function
(it's not SUSv3 or POSIX), so it's not portable across
platforms.  Even if the function exists on a certain plat-
form, it might behave differently from others.

For example, on FreeBSD, initgroups() exists, but it simply
calls getgrouplist() to get a list of supplementary groups,
and then calls setgroups().  None of those functions is
standard.  Note that setgroups() can _only_ be called by
root, otherwise you'll get EPERM (which makes sense).  That
error is propagated to initgroups(), of course.  So if you
call initgroups() as non-root, you'll get EPERM.

I haven't looked at the milter-greylist code in question,
but I suspect that it calls setuid() first and then it
calls initgroups(), which will fail if implemented in the
way described above.  It should call initgroups() first
and then setuid().  It requires that milter-greylist is
started as root, of course.

As for the question if initgroups() should be called at
all:  Yes, I think it can be useful.  For example, there
may be reasons to have a special group which owns the
milter-greylist dump directory or the .conf file, but not
make it the primary group of the smmsp processes for
security reasons.  Such a setup requires that milter-
greylist has the access rights of a certain supplementary
group which is not its primary group.

Of course, if the OS doesn't support initgroups() at all,
there's not much of a choice.  :-)   But at least all BSDs
(both the free and the commercial ones) support the
initgroups function since the days of 4.2BSD (1983), and
Linux probably sto^H^H^H adopted it from there.  Solaris
has announced to become "Linux-compatible", so I guess
they implemented it in the meanwhile, too.

Best regards
   Oliver

-- 
Oliver Fromme,  secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing
Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd
Any opinions expressed in this message may be personal to the author
and may not necessarily reflect the opinions of secnetix in any way.

"Being really good at C++ is like being really good
at using rocks to sharpen sticks."
        -- Thant Tessman

maillists@... ("Kai Schaetzl") writes:

> from /etc/init.d/greylist:
> user="root"
> daemon --user=$user /usr/local/bin/milter-greylist $OPTIONS
>
> from greylist.conf:
> user="smmsp"
>
> ps says it's indeed running as user smmsp. However, when I change to 
> user="smmsp" in the init file I get the supplementary groups error. Also, 
> usually the startup parameters take precedence over greylist.conf.
>
> Isn't that weird?

No; 'daemon --user=smmsp milter-greylist ...' executes something like

| sudo smmsp -c "milter-greylist ..."

Therefore, milter-greylist will be started as non-privileged user 'smmsp'
who does not have permissions to execute initgroups().

FWIW, Fedora Extras has a milter-greylist package which should be easy
to adapt for CentOS.



Enrico

On Wed, Mar 29, 2006 at 10:32:09AM +0200, Enrico Scholz wrote:
> Therefore, milter-greylist will be started as non-privileged user 'smmsp'
> who does not have permissions to execute initgroups().

Ok, that explains everything.

Maybe we should just check if euid == 0 and skip any setuid/setgid/initgroups
if it's not the case?

-- 
Emmanuel Dreyfus
manu@...

Emmanuel Dreyfus wrote on Wed, 29 Mar 2006 09:24:03 +0000:

> Maybe we should just check if euid == 0 and skip any setuid/setgid/initgroups 
> if it's not the case?

Not sure what exactly euid is? uid? effective uid?

After all the explanations I think it is simply the init script which is wrong. 
It's wrong to put the intended milter-greylist user as startup option for 
daemon.

Either:
user="smmsp"
OPTIONS="-u $user -P $pidfile -p $socket"

or
#user="smmsp"
OPTIONS="-P $pidfile -p $socket"
#(user is in greylist.conf, anyway)

together with startup line:
daemon /usr/local/bin/milter-greylist $OPTIONS
#(no --user=$user)

will do it.
We don't need any startup user for daemon, it should be started from root 
anyway, shouldn't it?

I verified that it works for me. I also verified that -u overrides the ini 
option.





Kai

-- 
Kai Sch\ufffdtzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com