ports/123888: security/amavisd-new broken when running chroot'ed

Helmut Schneider jumper99 at gmx.de
Thu May 22 09:10:07 UTC 2008 

>Number:         123888
>Category:       ports
>Synopsis:       security/amavisd-new broken when running chroot'ed
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu May 22 09:10:06 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     Helmut Schneider
>Release:        7.0-RELEASE
>Organization:
>Environment:
>Description:
[root at FBSD70VM ~]# amavisd debug
May 22 10:47:51.064 FBSD70VM.v-pe.de /usr/local/sbin/amavisd[81036]: starting.  /usr/local/sbin/amavisd at FBSD70VM.v-pe.de amavisd-new-2.6.0 (20080423), Unicode aware
May 22 10:47:51.065 FBSD70VM.v-pe.de /usr/local/sbin/amavisd[81036]: user=, EUID: 110 (110);  group=, EGID: 110 110 (110 110)
May 22 10:47:51.065 FBSD70VM.v-pe.de /usr/local/sbin/amavisd[81036]: Perl version               5.008008
May 22 10:47:51.853 FBSD70VM.v-pe.de /usr/local/sbin/amavisd[81036]: INFO: SA version: 3.2.4, 3.002004, no optional modules: Mail::SpamAssassin::SQLBasedAddrList Net::CIDR::Lite Sys::Hostname::Long DBD::mysql Mail::SpamAssassin::BayesStore::PgSQL IP::Country::Fast Image::Info Image::Info::GIF Image::Info::JPEG Image::Info::PNG Image::Info::TIFF Mail::SPF::Query
May 22 10:47:51.853 FBSD70VM.v-pe.de /usr/local/sbin/amavisd[81036]: SpamControl: init_pre_chroot on SpamAssassin done
May 22 10:47:51.854 FBSD70VM.v-pe.de /usr/local/sbin/amavisd[81036]: Net::Server: 2008/05/22-10:47:51 Amavis (type Net::Server::PreForkSimple) starting! pid(81036)
May 22 10:47:51.862 FBSD70VM.v-pe.de /usr/local/sbin/amavisd[81036]: Net::Server: Binding to UNIX socket file /var/amavis/amavisd.sock using SOCK_STREAM
May 22 10:47:51.863 FBSD70VM.v-pe.de /usr/local/sbin/amavisd[81036]: Net::Server: Binding to TCP port 10024 on host 127.0.0.1
May 22 10:47:51.864 FBSD70VM.v-pe.de /usr/local/sbin/amavisd[81036]: Net::Server: Group Not Defined.  Defaulting to EGID '110 110'
May 22 10:47:51.865 FBSD70VM.v-pe.de /usr/local/sbin/amavisd[81036]: Net::Server: User Not Defined.  Defaulting to EUID '110'
May 22 10:47:51.865 FBSD70VM.v-pe.de /usr/local/sbin/amavisd[81036]: Net::Server: Chrooting to /var/amavis
May 22 10:47:51.865 FBSD70VM.v-pe.de /usr/local/sbin/amavisd[81036]: (!)Net::Server: 2008/05/22-10:47:51 Couldn't chroot to "/var/amavis": Operation not permitted\n  at line 523 in file /usr/local/lib/perl5/site_perl/5.8.8/Net/Server.pm
May 22 10:47:51.865 FBSD70VM.v-pe.de /usr/local/sbin/amavisd[81036]: Net::Server: 2008/05/22-10:47:51 Server closing!
[root at FBSD70VM ~]#

I guess Net::Server tries to chroot as non-root (GID/UID vscan) which according to "man 2 chroot" is not allowed.
>How-To-Repeat:
Install amavisd-new 2.6 and set

$daemon_chroot_dir = $MYHOME;
>Fix:


>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-ports-bugs mailing list