AMaViS - A Mail Virus Scanner

Michael,

> I'm having trouble with suexec,

amavisd-release need not run as any specific user, all it needs
is an access to an inet or unix socket offered by amavisd.

> I think, though I cannot get my server
> to log any reason the amavisd-release script fails to function on
> this particular machine. My mailaction.php file successfully extracts
> the necessary info from my mysql tables and updates them appropriately,
> and when I code in a stop-and-print clause it gives me a line like
>     /usr/bin/amavisd-release A/spam-A+G9qRownvNQ.gz ulQHmofRDPr1
> that I can paste into a shell and successfully release the message from
> quarantine.
> This has had me going for days now! Any examples/suggestions please

Try changing
  $log_level = 1;
to
  $log_level = 2;

within amavisd-release. Perhaps also redirect its stderr to some file,
then see what is reported.

  Mark

Mark Martinec wrote:
> Try changing
>   $log_level = 1;
> to
>   $log_level = 2;
>
> within amavisd-release. Perhaps also redirect its stderr to some file,
> then see what is reported.
>   

Thanks Mark, I changed the log level OK but am at a loss regarding the
error messages. amavisd logs fine to my maillog but amavisd-release
doesn't appear to log anywhere at all. Please, what do I add (and where)
to start logging to, say, /var/log/amavisd-release.log

Thanks!!





-- 
Michael Slavin /o\~/o\~/o\ 226 Santa Fe Dr.  Baldwin City, KS  66006
theWebster  ***  electronic internet publishing and graphic services
                                  (everywhere)

tel 785 594-6621                           verizon cell 785 766-8756


Get Thunderbird <http://www.mozilla.com/thunderbird/>, Firefox
<http://www.mozilla.com/firefox/>, and MailDad <http://maildad.com/>,
and you're in good hands....

Michael,

> > Try changing
> >   $log_level = 1;
> > to
> >   $log_level = 2;
> > within amavisd-release. Perhaps also redirect its stderr to some file,
> > then see what is reported.
>
> Thanks Mark, I changed the log level OK but am at a loss regarding the
> error messages. amavisd logs fine to my maillog but amavisd-release
> doesn't appear to log anywhere at all. Please, what do I add (and where)
> to start logging to, say, /var/log/amavisd-release.log

amavisd-release logs to stderr. Perhaps you changed $log_level in
file amavisd.conf - which has no effect on amavisd-release.
The setting must be changed directly in a program amavisd-release,
somewhere near its beginning.

  Mark

My problem is that stderr messages just seem to vanish. Other errors in 
the web page that calls this script get logged to weblogs just fine. 
Perhaps there's a perl setting to run in stealth mode or something? I'm 
just not real big on sysadmin and this machine seems to have newer 
versions of just about everything.

Perhaps defining a logfile and then changing the do_log sub to
      print >>$logfile sanitize_str($errmsg),"\n"  if $level <= $log_level;
might work?

Mark Martinec wrote:
> Michael,
>   
>>> Try changing
>>>   $log_level = 1;
>>> to
>>>   $log_level = 2;
>>> within amavisd-release. Perhaps also redirect its stderr to some file,
>>> then see what is reported.
>>>       
>> Thanks Mark, I changed the log level OK but am at a loss regarding the
>> error messages. amavisd logs fine to my maillog but amavisd-release
>> doesn't appear to log anywhere at all. Please, what do I add (and where)
>> to start logging to, say, /var/log/amavisd-release.log
>>     
>
> amavisd-release logs to stderr. Perhaps you changed $log_level in
> file amavisd.conf - which has no effect on amavisd-release.
> The setting must be changed directly in a program amavisd-release,
> somewhere near its beginning.
>
>   Mark
>
>   


-- 
Michael Slavin /o\~/o\~/o\ 226 Santa Fe Dr.  Baldwin City, KS  66006
theWebster  ***  electronic internet publishing and graphic services
                                 (everywhere)

tel 785 594-6621                           verizon cell 785 766-8756


Get Thunderbird <http://www.mozilla.com/thunderbird/>, Firefox 
<http://www.mozilla.com/firefox/>, and MailDad <http://maildad.com/>, 
and you're in good hands....

OK, I've made a little headway.
I changed mailaction.php line 19 to:
    $ar_call = "/usr/bin/amavisd-release ".$qfile[0]." ".$sid." >> 
/var/log/amavis-releaselog  2>&1";
I also found some error messages from apache. I have the default server 
name the same as the virtual host where these scripts live, and apache 
logs some errors to the virtual host logs and some to the mail web logs.

I now see in my amavis-releaselog:
    Can't connect to UNIX socket /var/spool/amavisd/amavisd.sock: 
Permission denied at /usr/bin/amavisd-release line 206.

line 206 is
    $sock->connect( pack_sockaddr_un($socketname) )

I have already verified that the string mailaction.php passes to 
amavisd-release is OK, and runs correctly in a shell, and also that when 
it is run from a shell it logs everything to the logfile.

-m


Michael Slavin wrote:
> My problem is that stderr messages just seem to vanish. Other errors in 
> the web page that calls this script get logged to weblogs just fine. 
> Perhaps there's a perl setting to run in stealth mode or something? I'm 
> just not real big on sysadmin and this machine seems to have newer 
> versions of just about everything.
>
> Perhaps defining a logfile and then changing the do_log sub to
>       print >>$logfile sanitize_str($errmsg),"\n"  if $level <= $log_level;
> might work?
>
> Mark Martinec wrote:
>   
>> Michael,
>>   
>>     
>>>> Try changing
>>>>   $log_level = 1;
>>>> to
>>>>   $log_level = 2;
>>>> within amavisd-release. Perhaps also redirect its stderr to some file,
>>>> then see what is reported.
>>>>       
>>>>         
>>> Thanks Mark, I changed the log level OK but am at a loss regarding the
>>> error messages. amavisd logs fine to my maillog but amavisd-release
>>> doesn't appear to log anywhere at all. Please, what do I add (and where)
>>> to start logging to, say, /var/log/amavisd-release.log
>>>     
>>>       
>> amavisd-release logs to stderr. Perhaps you changed $log_level in
>> file amavisd.conf - which has no effect on amavisd-release.
>> The setting must be changed directly in a program amavisd-release,
>> somewhere near its beginning.
>>
>>   Mark
>>
>>   
>>     
>
>
>   

-- 
Michael Slavin /o\~/o\~/o\ 226 Santa Fe Dr.  Baldwin City, KS  66006
theWebster  ***  electronic internet publishing and graphic services
                                 (everywhere)

tel 785 594-6621                           verizon cell 785 766-8756


Get Thunderbird <http://www.mozilla.com/thunderbird/>, Firefox 
<http://www.mozilla.com/firefox/>, and MailDad <http://maildad.com/>, 
and you're in good hands....

Mark,

Thank you for your patience and time with this. I still haven't got it 
working.

Mark Martinec wrote:
> amavisd-release need not run as any specific user, all it needs
> is an access to an inet or unix socket offered by amavisd.
If run as root, it works fine. Run from the web script mailaction.php it 
does not. I guess it is not a suexec issue as amavisd-release does 
start, but then fails and logs
   
    Can't connect to UNIX socket /var/spool/amavisd/amavisd.sock:
    Permission denied at /usr/bin/amavisd-release line 206.

I finally tried from a shell, su webadmin and then run the release 
command, that also fails with the socket permission error.

    srwxr-x--- 1 amavis amavis 0 Sep 17 17:19 
/var/spool/amavisd/amavisd.sock
    -rwxr-xr-x 1 root root  9194 Sep 29 14:08 /usr/bin/amavisd-release

What am I still doing wrong here??

Michael

Mark,

Thank you for your patience and time with this. I still haven't got it
working.

Mark Martinec wrote:
> amavisd-release need not run as any specific user, all it needs
> is an access to an inet or unix socket offered by amavisd.

If run as root, it works fine. Run from the web script mailaction.php it
does not. I guess it is not a suexec issue as amavisd-release does
start, but then fails and logs

    Can't connect to UNIX socket /var/spool/amavisd/amavisd.sock:
    Permission denied at /usr/bin/amavisd-release line 206.

I finally tried from a shell, su webadmin and then run the release
command, that also fails with the socket permission error.

    srwxr-x--- 1 amavis amavis 0 Sep 17 17:19
/var/spool/amavisd/amavisd.sock
    -rwxr-xr-x 1 root root  9194 Sep 29 14:08 /usr/bin/amavisd-release

(sorry if the above gets posted twice, I sent it ten hours ago and don't 
see it coming through.)

I've now created another subdomain in order to run mailaction.php using 
suexec amavis and still get the same "Permission denied" error from 
amavisd-release.


Michael



-- 
Michael Slavin /o\~/o\~/o\ 226 Santa Fe Dr.  Baldwin City, KS  66006
theWebster  ***  electronic internet publishing and graphic services
                                  (everywhere)

tel 785 594-6621                           verizon cell 785 766-8756


Get Thunderbird <http://www.mozilla.com/thunderbird/>, Firefox
<http://www.mozilla.com/firefox/>, and MailDad <http://maildad.com/>,
and you're in good hands....

Michael,

> > amavisd-release need not run as any specific user, all it needs
> > is an access to an inet or unix socket offered by amavisd.
>
> If run as root, it works fine. Run from the web script mailaction.php it
> does not. I guess it is not a suexec issue as amavisd-release does
> start, but then fails and logs
>     Can't connect to UNIX socket /var/spool/amavisd/amavisd.sock:
>     Permission denied at /usr/bin/amavisd-release line 206.
>
> I finally tried from a shell, su webadmin and then run the release
> command, that also fails with the socket permission error.
>  srwxr-x--- 1 amavis amavis 0 Sep 17 17:19 /var/spool/amavisd/amavisd.sock

You've answered yourself, it's a permission problem.

The easiest way out is to abandon Unix socket and use an inet socket
on a TCP port dedicated to releasing, e.g.:

  $inet_socket_port = [10024,9998];
  $unix_socketname = undef;

# used by amavisd-release utility of a new AM.PDP-based amavis-milter client
  $interface_policy{'9998'} = 'AM.PDP-INET';

  $policy_bank{'AM.PDP-INET'} = {
    protocol => 'AM.PDP', # Amavis policy delegation protocol
    inet_acl => [qw( 127.0.0.1 [::1])],
  };


And in amavisd-release, change socket to:

  $socketname = '127.0.0.1:9998';



Alternatively, modifying a file amavisd like this:

--- amavisd~	2008-06-29 02:37:58.000000000 +0200
+++ amavisd	2008-10-02 16:28:44.000000000 +0200
@@ -8716,5 +8716,5 @@
 ### but before binding to sockets
 sub post_configure_hook {
-# umask(0007);  # affect protection of Unix sockets created by Net::Server
+  umask(0007);  # affect protection of Unix sockets created by Net::Server
 }
 
lets Net::Server create sockets as group-writable, which would
allow access to a mavisd-release client if its UID is added to
the amavis group (in /etc/group).


> I've now created another subdomain in order to run mailaction.php using
> suexec amavis and still get the same "Permission denied" error from
> amavisd-release.

That I can not explain. It's all about classical Unix permissions,
unless some mandatory access controls are in place.

  Mark

Mark Martinec wrote:
> Michael
>>> amavisd-release need not run as any specific user, all it needs
>>> is an access to an inet or unix socket offered by amavisd.
>>>       
>> If run as root, it works fine. Run from the web script mailaction.php it
>> does not. I guess it is not a suexec issue as amavisd-release does
>> start, but then fails and logs
>>     Can't connect to UNIX socket /var/spool/amavisd/amavisd.sock:
>>     Permission denied at /usr/bin/amavisd-release line 206.
>>
>> I finally tried from a shell, su webadmin and then run the release
>> command, that also fails with the socket permission error.
>>  srwxr-x--- 1 amavis amavis 0 Sep 17 17:19 /var/spool/amavisd/amavisd.sock
>>     
>
> You've answered yourself, it's a permission problem.
>
> The easiest way out is to abandon Unix socket and use an inet socket
> on a TCP port dedicated to releasing, e.g.:
>
>   $inet_socket_port = [10024,9998];
>   $unix_socketname = undef;
>
> # used by amavisd-release utility of a new AM.PDP-based amavis-milter client
>   $interface_policy{'9998'} = 'AM.PDP-INET';
>
>   $policy_bank{'AM.PDP-INET'} = {
>     protocol => 'AM.PDP', # Amavis policy delegation protocol
>     inet_acl => [qw( 127.0.0.1 [::1])],
>   };
>
>
> And in amavisd-release, change socket to:
>
>   $socketname = '127.0.0.1:9998';
>
>   
Yes! :) Joy at last, thanks a million.

Michael