RES: [rt-users] Using the majordomo wrapper program to get around setuid problem

Presciliano dos Santos Neto psneto at telepar.com.br
Tue Dec 4 09:00:17 EST 2001


Yes !! It worked fine !!!

Thanks,

Presciliano


> ----- Mensagem original -----
> De:		Bruce Campbell [SMTP:bruce_campbell at ripe.net]
> Enviada em:		Terça-feira, 4 de Dezembro de 2001 11:47
> Para:		'rt-users at lists.fsck.com'
> Cc:		Presciliano dos Santos Neto
> Assunto:		[rt-users] Using the majordomo wrapper program to
> get around setuid problem
> 
> 
> ( Subject changed to make it easier for people searching the archives )
> 
> This is a brief rundown on how to use a setuid program to invoke
> rt-mailgate, when your OS's perl cannot (or won't) do setuid properly.
> 
> Firstly, compile and install RT.
> 
> Secondly, retrieve and extract majordomo from
> ftp://ftp.greatcircle.com/pub/majordomo .  I used version 1.94.5 for this.
> I've also attached to this message a cut-down Makefile and the original
> wrapper.c .
> 
> Thirdly, edit the Majordomo Makefile (or the attached one) and change the
> following variables:
> 
> 	W_HOME = /path/to/rt2/bin
> 	W_USER = NUMERIC_ID_OF_RT_USER
> 	W_GROUP = NUMERIC_ID_OF_RT_GROUP
> 
> Next, run 'make wrapper', and 'make install-wrapper' as root.
> 
> Finally, put it in your /etc/aliases (or appropriate MTA location) as (on
> one line of course):
> 
> 	rt-comment: "|/path/to/rt2/bin/wrapper rt-mailgate --queue
> 		QUEUE_NAME --action comment"
> and
> 	rt:         "|/path/to/rt2/bin/wrapper rt-mailgate --queue
> 		QUEUE_NAME --action correspond"
> 
> ( Note that wrapper only looks for the program (1st argument) in the HOME
>   directory defined below.  You don't need to put
>   '/path/to/rt2/bin/rt-mailgate' in the alias file )
> 
> When fault-finding, note that /path/to/rt2/bin/wrapper should be setuid,
> be owned by root and the RT group, and the /path/to/rt2/bin should be
> within the wrapper binary, ie:
> 
> 	$ strings -a /path/to/rt2/bin/wrapper
> 	 HOME
> 	HOME=/path/to/rt2/bin
> 	    HOME is %s,
> 
> If HOME=/something/else, then you've probably ended up with your majordomo
> version of wrapper.
> 
> Your next port of call is ensuring that /path/to/rt2/bin/rt-mailgate
> /path/to/rt2/bin/rt-mailgate is executable by the RT user, that the
> directory tree all the way to the / is accessible by the RT user, and the
> perl indicated by the first '#!' line is executable by the RT user.  Then
> further fault-find by judicious application of perl -c and checking that
> the RT user can access all the libraries, *including*
> /path/to/rt2/etc/config.pm .
> 
> I hope this helps.
> 
> Regards,
> 
> -- 
>                              Bruce Campbell
> RIPE
>  
> NCC
>  
> Operations << Arquivo:  >>  << Arquivo:  >> 




More information about the rt-users mailing list