Re: [SM-PLUGINS] server side filter plugin problem

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Thu, Jun 27, 2013 at 1:00 AM, Bu Xiaobing <bus...@gm...> wrote:
> On 2013-6-27 15:58, Bu Xiaobing wrote:
>> On 2013-6-27 15:50, Paul Lesniewski wrote:
>>> On Thu, Jun 27, 2013 at 12:36 AM, Bu Xiaobing <bus...@gm...> wrote:
>>>> On 2013-6-27 15:14, Paul Lesniewski wrote:
>>>>> On Thu, Jun 27, 2013 at 12:09 AM, Bu Xiaobing <bus...@gm...> wrote:
>>>>>> On 2013-6-25 7:14, Paul Lesniewski wrote:
>>>>>>>> I think the problem with setgroups(0, NULL): Operation not permitted has
>>>>>>>> been resolved.
>>>>>>>
>>>>>>> If you don't say *how* -- explain carefully what you changed, what
>>>>>>> your current settings are, then you leave us to guess.  This is
>>>>>>> frustrating and you are less likely to receive any help this way.
>>>>>>>
>>>>>>>> At the first time I set
>>>>>>>> 'SUID_LOCATION'  => array('VALUE' =>
>>>>>>>> '/var/www/html/webmail/plugins/server_settings_backend/suid_backend/squirrelmail_server_settings_suid_backend'),
>>>>>>>>
>>>>>>>> I find in the /var/www/html/webmail/plugins/server_settings_backend also has
>>>>>>>> a squirrelmail_server_settings_suid_backend, and the file permission is
>>>>>>>> -rwsr-xr-x.
>>>>>>>>
>>>>>>>> So I change the SUID_LOCATION value to
>>>>>>>> /var/www/html/webmail/plugins/server_settings_backend/squirrelmail_server_settings_suid_backend
>>>>>>>
>>>>>>> The only examples I can find point to the server_settings_backend
>>>>>>> directory.  The copy of the suid_wrapper in the suid_backend directory
>>>>>>> shouldn't be used in your configuration.  (I believe this is your
>>>>>>> oversight, unless you can point out where there was a misleading
>>>>>>> example.)
>>>>>>>
>>>>>>>> But get another error "Remote file name cannot contain "/"" in the
>>>>>>>> /var/log/httpd/error_log.
>>>>>>>
>>>>>>> This is good in general.  If you really need directory traversal
>>>>>>> (why?), read the docs on how to compile the suid wrapper.  And once
>>>>>>> again, READ THE DOCS **BEFORE** you ask for help.
>>>>>>>
>>>>>>>> And if I set "$ssf_debug_server_settings_backend = 1" in the
>>>>>>>> server_side_filters/config.php, and after I click "Options->Message Filters"
>>>>>>>> on the web browser, the web page only display the following message:
>>>>>>>>
>>>>>>>> Unable to retrieve file from command
>>>>>>>> "/var/www/html/webmail/plugins/server_settings_backend/squirrelmail_server_settings_suid_backend
>>>>>>>> 'localhost' 'buxiaobing' 'get_file' '/home/buxiaobing/.mailfiter'
>>>>>>>> '/var/local/squirrelmail/attach/xo4HqZ6WpSq6iUazfx1TLAmw3SEg6p9D'"
>>>>>>>>
>>>>>>>> Can't understand why will it retrieve the
>>>>>>>> /var/local/squirrelmail/attach/xo4HqZ6WpSq6iUazfx1TLAmw3SEg6p9D file and
>>>>>>>> this file is not exist.
>>>>>>>>
>>>>>>>>
>>>>>>>> Bu Xiaobing
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> Thanks for your help. I read the server_settings_backend/docs/SUID_BACKEND_ERRORS
>>>>>> and find the problems and it works now!
>>>>>
>>>>> Thanks for reading the docs.  I'd just caution you again *against*
>>>>> allowing directory traversal.  There is no reason you should need that
>>>>> and it is less secure.
>>>>>
>>>>
>>>> Do you mean I should not use SUID backend?
>>>
>>> I never said such a thing.
>>>
>>>> For now, I need SUID to save a kickoff file .forward
>>>> which contains "|exec /usr/bin/procmail || exit 75" at /home/USER,
>>>
>>> Let the wrapper obtain the user home directory.  The SquirrelMail side
>>> (the filters plugin) should only pass the name of the file (.forward)
>>> and no path information.
>>>
>>>> So I can invoke procmail to do filter. And I compiled SUID
>>>> with --enable-auth=imap to do authentication.
>>>
>>>
>>
>> I think I do as you suggest, the following is my server_side_filters/config.php
>>
>>   $filtering_kickoff_file = array(
>>      'BACKEND'              => 'local_file',
>>      'ACCESS_TYPE'          => array('VALUE' => 'SUID'),
>>      'SUID_LOCATION'        => array('VALUE' => '/var/www/html/webmail/plugins/server_settings_backend/squirrelmail_server_settings_suid_backend'),
>>      'FILE'                 => array('VALUE' => '.forward'),
>>      'PARSE_PATTERN'        => array('VALUE' => '#^(\"\|exec /usr/bin/procmail \|\| exit 75\")$#m'),
>>      'NEW_SETTING_TEMPLATE' => array('VALUE' => "\"|exec /usr/bin/procmail || exit 75\"\n"),
>>      'PATTERN_GROUP_NUMBER' => array('VALUE' => 1),
>>      'MAX_SEQUENTIAL_EMPTY_LINES' => 3,
>>      'TREAT_AS_EMPTY_WHEN_NOT_FOUND' => array('VALUE' => 1),
>>      // un-comment the following to add to the top of existing files
>>      //'ADD_TO_TOP' => array('VALUE' => 1),
>>   );
>>
>> Bu Xiaobing
>
> And this:
>
>   $filter_rules_storage_info = array(
>      'BACKEND'               => 'local_file',
>      'ACCESS_TYPE'           => array('VALUE' => 'SUID'),
>      'SUID_LOCATION'         => array('VALUE' => '/var/www/html/webmail/plugins/server_settings_backend/squirrelmail_server_settings_suid_backend'),
>      'FILE'                  => array('VALUE' => '.procmailrc'),

Yup, good job.  :-)

>      'PARSE_PATTERN'         => array('VALUE' => "/^(.*)$/s"),
>      'PATTERN_GROUP_NUMBER'  => array('VALUE' => 1),
>      'NEW_SETTING_TEMPLATE'  => array('VALUE' => '%1'),
>      'DELETE_WHEN_EMPTY'     => array('VALUE' => 1),
>      'TREAT_AS_EMPTY_WHEN_NOT_FOUND' => array('VALUE' => 1),
>      'SUID_DEBUG_OUTPUT'     => array('VALUE' => '/tmp/squirrelmail_server_settings_backend_suid_debug'),
>   );
>

-- 
Paul Lesniewski
SquirrelMail Team
Please support Open Source Software by donating to SquirrelMail!
http://squirrelmail.org/donate_paul_lesniewski.php