Hi all, every time after yast ran suseconfig /proc is additionally mounted *read-only* as /var/spool/postfix/proc. My question is how to get rid of this feature. Yes, this may be slightly off topic here, but at least it prevents me from running online-update (yast) and iptables things (write in proc) cronbased without umounting a filesystem first - seems to be nonsense. It concerns all of my boxes running 9.2 with postfix chrooted by yast. Unmounting /var/spool/postfix/proc does apparently not affect anything. Is there a deeper meaning in it in the end? Thanks for any even deeper insight! Joe
Hi Joe, On Saturday 23 April 2005 03:38, Joe Knall wrote:
Hi all,
every time after yast ran suseconfig /proc is additionally mounted *read-only* as /var/spool/postfix/proc.
My question is how to get rid of this feature.
Yes, this may be slightly off topic here, but at least it prevents me from running online-update (yast) and iptables things (write in proc) cronbased without umounting a filesystem first - seems to be nonsense. It concerns all of my boxes running 9.2 with postfix chrooted by yast. Unmounting /var/spool/postfix/proc does apparently not affect anything.
Is there a deeper meaning in it in the end? Thanks for any even deeper insight! Joe
just an idea: did you configure postfix to run in a chroot-jail? This might cause such a thing.... Bye, Jürgen
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jürgen Mell schrieb:
Hi Joe,
On Saturday 23 April 2005 03:38, Joe Knall wrote:
Hi all,
every time after yast ran suseconfig /proc is additionally mounted *read-only* as /var/spool/postfix/proc.
My question is how to get rid of this feature.
Yes, this may be slightly off topic here, but at least it prevents me from running online-update (yast) and iptables things (write in proc) cronbased without umounting a filesystem first - seems to be nonsense. It concerns all of my boxes running 9.2 with postfix chrooted by yast. Unmounting /var/spool/postfix/proc does apparently not affect anything.
Is there a deeper meaning in it in the end? Thanks for any even deeper insight! Joe
just an idea: did you configure postfix to run in a chroot-jail? This might cause such a thing....
Bye,
Jürgen
9.1 is even effected from this. O.K. in chroot it makes sense, but not for /proc outside the chroot- yail. How do i prevent this with postfix and chroot? Philippe - -- Diese Nachricht ist digital signiert und enthält weder Siegel noch Unterschrift! Die unaufgeforderte Zusendung einer Werbemail an Privatleute verstößt gegen §1 UWG und 823 I BGB (Beschluß des LG Berlin vom 2.8.1998 Az: 16 O 201/98). Jede kommerzielle Nutzung der übermittelten persönlichen Daten sowie deren Weitergabe an Dritte ist ausdrücklich untersagt! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iQD1AwUBQmo+dENg1DRVIGjBAQJ8VgcAtHHvM1NzL21f8a8WDLuDlJujK1U725Hh wP7hD5Ct7BTsPvRih4o3sH/hhbnfAThliBOv+0E7/UpTZbnY8DJmGPSHnlzPHCW0 wHETPGF1B1vpt2trcuVlp2I6EILkVcmqtiIdPoySZg3aW3iCY5tgAvZHaxxKO0ic 6NgjEjUdLEF+dzEu0EfvtCHwI/f7UewgE4MquNFsPiKlIgj5bnS3jwUmSMEPT3M/ 55wdLqK/pJs8Grs7TnYC/5n8NHtNjj0eq6Hf8htKiEp3iHlb0Jsjr1luSGg/gaDc 032Ngbnjojc= =VfKr -----END PGP SIGNATURE-----
On Samstag, 23. April 2005 03:38 Joe Knall wrote:
Hi all,
every time after yast ran suseconfig /proc is additionally mounted *read-only* as /var/spool/postfix/proc.
My question is how to get rid of this feature.
This behaviour is caused by the following lines in /sbin/conf.d/SuSEconfig.postfix: mkdir -p /var/spool/postfix/proc if ! grep /var/spool/postfix/proc /proc/mounts &> /dev/null; then mount -o ro -t proc proc /var/spool/postfix/proc fi After commenting them out my problem is solved so far.
Unmounting /var/spool/postfix/proc does apparently not affect anything.
Is there a deeper meaning in it in the end?
This question is still open. Is there anybody in the know? Thanks for your comments Joe
On Sat, 23 Apr 2005, Joe made the net somewhat safer by saying:
On Samstag, 23. April 2005 03:38 Joe Knall wrote: [..]
Unmounting /var/spool/postfix/proc does apparently not affect anything.
Is there a deeper meaning in it in the end?
This question is still open. Is there anybody in the know? Thanks for your comments
Don't enable chroot for Postfix, unless you know what you're doing. Theo -- Theo v. Werkhoven Registered Linux user# 99872 http://counter.li.org ICBM 52 13 26N , 4 29 47E. + ICQ: 277217131 SUSE 9.2 + Jabber: muadib@jabber.xs4all.nl Kernel 2.6.8 + See headers for PGP/GPG info.
On Sonntag, 24. April 2005 17:43 Theo v. Werkhoven wrote:
On Sat, 23 Apr 2005, Joe made the net somewhat safer by saying:
On Samstag, 23. April 2005 03:38 Joe Knall wrote:
[..]
Unmounting /var/spool/postfix/proc does apparently not affect anything.
Is there a deeper meaning in it in the end?
This question is still open. Is there anybody in the know? Thanks for your comments
Don't enable chroot for Postfix, unless you know what you're doing.
Theo
Well, that may be correct. Would you mind providing me any enlightning link or so to let me really make the net somewhat safer? Btw, my chrooted apaches, mysql and squid all work well without a proc filesystem within their jails, but those are selfmade. With postfix I just a feature included in delivery. And that's one of the reasons why I still ask for the meaning behind this config of postfix or what ever may be behind it. Thank you nonetheless Joe
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi!
Unmounting /var/spool/postfix/proc does apparently not affect anything.
Is there a deeper meaning in it in the end?
My question still is: Why does this affect /proc? If I run postfix in chroot and I want to restart my firewall script it tells /proc is ro and I can't set kernelparameters. If I boot postfix is started after the firewall is initialized - this means at boottime it will set options as I desire. If I want to change things in runtime, e.g. after setup of a new box with a new firewall rule for it, I get the error /proc is ro :) Any conclusions? By the way why is proc mounted ro and rw? Second thing: If I got access to /proc chroot can be escaped and - even it only ro - any malicious user can read files from /proc with the process users rights. This means for me chrooted postfix within SuSE isn't what it's expected to be - any attacker can escape chroot maybe only ro but he/she can. This behavior I got with a self-crafted chroot apache with /proc access as well. Am I right or what did I forget about this? Philippe - -- Diese Nachricht ist digital signiert und enthält weder Siegel noch Unterschrift! Die unaufgeforderte Zusendung einer Werbemail an Privatleute verstößt gegen §1 UWG und 823 I BGB (Beschluß des LG Berlin vom 2.8.1998 Az: 16 O 201/98). Jede kommerzielle Nutzung der übermittelten persönlichen Daten sowie deren Weitergabe an Dritte ist ausdrücklich untersagt! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iQD1AwUBQmxDo0Ng1DRVIGjBAQIdGwb8C160ddL50bS6gzuTRP/DH8AU8SuGI1+Z 6/41gRv7MXwxinFNUIY0Fou/aePyfwlfBmxdhCSjhziAqEusAobop1Xc13Kubd6J NO2c+ANEaW65CyHRZ9Zhcx0zNET6DXKM2oezXwt6pe8rPeprATrNEaRDLeVklJel xpS2f9TW9bF53HaiElFIMzEJdPO4XJTLuOdrucTJRLCYYqtU6f1JgkIttYuy3SjE 8Ht2NE+/jOtPBDdHpNrl56iHWJyjTh05L6JkMCw+EJH+ZoLuwi40fXvoIlmbKuUk 4fhwKwhCSI0= =eAqC -----END PGP SIGNATURE-----
On Sun, 24 Apr 2005, Joe made the net somewhat safer by saying:
On Sonntag, 24. April 2005 17:43 Theo v. Werkhoven wrote:
On Sat, 23 Apr 2005, Joe made the net somewhat safer by saying:
On Samstag, 23. April 2005 03:38 Joe Knall wrote:
[..]
Unmounting /var/spool/postfix/proc does apparently not affect anything.
Is there a deeper meaning in it in the end?
This question is still open. Is there anybody in the know? Thanks for your comments
Don't enable chroot for Postfix, unless you know what you're doing.
Theo
Well, that may be correct. Would you mind providing me any enlightning link or so to let me really make the net somewhat safer?
The topic regularly comes up in the Postfix mailinglist. There's a script in the Postfix documentation directory to setup chroot without the special SuSE tricks. /usr/share/doc/packages/postfix/examples/chroot-setup/LINUX2
Btw, my chrooted apaches, mysql and squid all work well without a proc filesystem within their jails, but those are selfmade. With postfix I just a feature included in delivery. And that's one of the reasons why I still ask for the meaning behind this config of postfix or what ever may be behind it.
I can't guess the reasons behind SuSE's implementation of the chroot environment for Postfix, I do know that Postfix's author tells people that chroot isn't an end to all security problems and it can be more trouble than it's worth. Theo -- Theo v. Werkhoven Registered Linux user# 99872 http://counter.li.org ICBM 52 13 26N , 4 29 47E. + ICQ: 277217131 SUSE 9.2 + Jabber: muadib@jabber.xs4all.nl Kernel 2.6.8 + See headers for PGP/GPG info. Claimer: any email I receive will become my property. Disclaimers do not apply.
On wednesday, 27. April 2005 21:07 Theo v. Werkhoven wrote:
There's a script in the Postfix documentation directory to setup chroot without the special SuSE tricks. /usr/share/doc/packages/postfix/examples/chroot-setup/LINUX2
Thank you, I should have read this before... and it confirms my thoughts.
I can't guess the reasons behind SuSE's implementation of the chroot environment for Postfix, I do know that Postfix's author tells people that chroot isn't an end to all security problems and it can be more trouble than it's worth.
Theo
That's clear so far. But after all I did learn a lot from playing with chroot jails and that's real fun :) Ok now, bye Joe
participants (4)
-
Joe Knall -
Jürgen Mell -
Philippe Vogel -
Theo v. Werkhoven