qmail-scanner-queue.pl and qq temporary problems with solution

Started by TheGillis, February 23, 2005, 01:20:29 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

TheGillis

February 23, 2005, 01:20:29 AM
After running the toaster_setup.pl -s test, I found that while running the mail scanning tests, there was one test being run, first agains qmail-scanner-queue.pl and the next simscan. On my fresh installation of mail toaster 4.04, the qmail-scanner-queue.pl tests were failing. I was getting the qq temporary problem.

After some digging, I found out that the temporary folder that is used to hold the message while it's being scanned by clam av, was owned by root and had permissions of 700. That was not acceptable since then clam av could not access the folder and hence the qq temporary problem.

Some more digging through the qmail-scanner-queue.pl and I found the code:

$< = $>;            # set real to effective uid

This is a problem, since:

ls -la /var/qmail/bin/qmail-scanner-queue.pl
-rwxr-xr-x  1 clamav  clamav  97920 Feb 10 11:20 /var/qmail/bin/qmail-scanner-queue.pl

That's where the issue lies. It turns out that to use the SUID functionality in perl in the above code, the SUID bit must be set on the perl script.

I have verified that the SUID bit is not set in two other new mail toaster installations, but have been told that older installations correctly set this bit. I have not verified that claim.

The fix is the following:

chmod 6755 /var/qmail/bin/qmail-scanner-queue.pl

Now all the qmail scanner tests pass without qq temporary values.

Hope that helps someone.

From
-The Gillis
http://www.thegillis.net/" target="_blank">http://www.thegillis.net/

matt

#1
February 23, 2005, 01:56:37 PM
Older version of Mail::Toaster installed /var/qmail/bin/qmail-scanner-queue.pl with permissions of 4755. This requires having a setuid perl. However, newer version default to using the C wrapper included with qmail-scanner. This removes the setuid perl dependency.

As such, the permissions on qmail-scanner-queue.pl should be 0755, while the permissions on the C wrapper (qmail-scanner-queue) should be 4755. All should be owned by the clamav user/group.

There was a deprecated use of chmod in my script so the permissions on the C wrapper weren't being set properly. You can fix this by running "chmod 4755 /var/qmail/bin/qmail-scanner-queue".  Version 4.05 of Mail::Toaster includes this update.

Note that to use the C wrapper, you should set QMAILQUEUE to point to the C wrapper, not the perl version of the script.

Matt

TheGillis

#2
February 23, 2005, 02:06:37 PM
Thank you for the correction.

-The Gillis
http://www.thegillis.net/" target="_blank">http://www.thegillis.net/
Print
Go Up Pages1
User actions