"Inscure Dependencies" with majordomo

[28 Studios]

I've updated several packages and to the latest custombuild and now have the following problems with majordomo.

It seems majordomo is now having perlsec problems. I've searched high and low but can't find a solution.

The first symptom was when sending to a maillist you get a bounce back:

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

 pipe to |/etc/virtual/majordomo/wrapper resend -C /etc/virtual/domain.com/majordomo/majordomo.cf -l core -h domain.com -f owner-core [email protected]
   generated by [email protected]
   local delivery failed

The following text was generated during the delivery attempt:

------ pipe to |/etc/virtual/majordomo/wrapper resend -C /etc/virtual/woose.org/majordomo/majordomo.cf -l core -h domain.com -f owner-core [email protected]
      generated by [email protected] ------

Insecure dependency in require while running setuid at /etc/virtual/majordomo/resend line 91.

Line 91 is a 'require "$cf";'. $cf is for the config file to use and it seems this is getting tainted somewhere.


I tried re-installing majordomo from scripts/majordomo.sh and then run majordomo's config-test. It gets the following:

$ cd /etc/virtual/majordomo; ./wrapper config-test
------------------------------------------------------------
---------------- Config-test for Majordomo ----------------
------------------------------------------------------------


--------------------- Obvious things: ---------------------
------------------ environment variables ------------------
   HOME=/etc/virtual/majordomo
   LOGNAME=root
   MAJORDOMO_CF=/etc/virtual/majordomo/majordomo.cf
   PATH=/bin:/usr/bin:/usr/ucb
   SHELL=/bin/sh
   USER=root
--------------------- euid/egid checks ---------------------
   effective user  = root (uid 0)
   effective group = bin root (gid 2 0 )
---------------------- uid/gid checks ----------------------
   real      user  = majordomo (uid 1001)
   real      group = bin root (gid 2 0 )
------------------------------------------------------------

	Non obvious things that cause headaches:

------------------------------------------------------------
Insecure dependency in eval while running setuid at /etc/virtual/majordomo/config-test line 122

.

 

[DirectAdmin Support]

Hello,

The /etc/virtual/majordomo was set to be chmod to 750 for the last release.
It was 755 before, but set to 750 instead because of the suid binary in that folder. We did test here with the 750 permission and it worked ok for us.

Try:

cd /usr/local/directadmin/scripts
./set_permissions.sh email

in case something else's permissions might be off. You can also try setting it back to 755 just to see if that changes anything or not.

Also the GID is supposed to be daemon.. so something may be off there... bin isn't right.

John

 

[28 Studios]

John was very helpful in working with me on this.

First, there were some permission problems. We found a bug in the majordomo.sh script for Linux. It will be released in a new version, but now it is at http://files.directadmin.com/services/all/majordomo/majordomo.sh . It goes into /usr/local/directadmin/scripts .

However, the specific problem is that perl was running in "taint" mode and was complaining the code was insecure and then dying. The solution I found, although not pretty, was to change the start of each of the perl scripts in /etc/virtual/majordomo/ to

#!/usr/bin/perl -U -I /etc/virtual/majordomo

The -U option tells perl to treat taint errors as warnings. Also, taint mode removes the current directory from the @INC path, so the -I was necessary so the scripts could again find several required files.

With these changes my mail lists are again working.